13 matches found
Insufficient Granularity of Access Control
Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers methods that serve the group members...
CVE-2025-69284
CVE-2025-69284 affects the open-source project management tool Plane (plane.io). Before version 1.2.0, a guest user could access the API endpoint /api/workspaces/:slug/members/ and enumerate members of a workspace they joined. The response’s display_name is the email handler, allowing a malicious...
EUVD-2025-206228
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...
CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...
PT-2026-1101
Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.0 Description Plane is an open-source project management tool. A guest user, lacking the necessary permissions, could access the /api/workspaces/:slug/members/ endpoint and list users within a workspace they have...
CVE-2025-14052 youlaitech youlai-mall members getMemberById access control
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out...
CVE-2025-10545 Guest user can add unauthorized team users to private channels
Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...
SUSE CVE-2025-1792
Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...
CVE-2025-1792
Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...
CVE-2025-1792
Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...
CVE-2025-1792
CVE-2025-1792 affects Mattermost Server: 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x
CVE-2025-1792 Improper Access Control in Mattermost Channel Member API
Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...
Improper Access Control
ghost is vulnerable to improper access control. An unprivileged member has the ability to view and change unintended newsletter settings due to improper validation for nested objects in Memebers API...