136 matches found
GHSA-2VV2-3X8X-4GV7 Flowise OS command remote code execution
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...
CVE-2024-12307
A function-level access control vulnerability in Unifiedtransform version 2.0 and potentially earlier versions allows teachers to modify student personal data without proper authorization. The vulnerability exists due to missing access control checks in the student editing functionality. At the...
CVE-2023-33970
Kanboard is open source project management software that focuses on the Kanban methodology. A vulnerability related to a missing access control was found, which allows a User with the lowest privileges to leak all the tasks and projects titles within the software, even if they are not invited or...
Codemers KLIMS 安全漏洞
Codemers KLIMS is a system for laboratory information management from Codemers. A security vulnerability exists in Codemers KLIMS version 1.6.DEV, which stems from a missing access control mechanism that could lead to elevated privileges...
CVE-2025-20230
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value...
CVE-2024-9000
In lunary-ai/lunary before version 1.4.26, the checklists.post endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks...
The vulnerability of the DDNS service in the D-Link DIR-816 A2 router software allows a hacker to compromise the integrity of the protected information.
The vulnerability of the DDNS service in the D-Link DIR-816 A2 router software lies in its lack of access control mechanisms. Exploiting this vulnerability allows a malicious actor to compromise the integrity of the protected information...
CVE-2024-38292
In Extreme Networks XIQ-SE before 24.2.11, due to a missing access control check, a path traversal is possible, which may lead to privilege escalation...
VulnCheck KEV: CVE-2018-1217
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local...
CVE-2025-24885
pwn.college is an education platform to learn about, and practice, core cybersecurity concepts in a hands-on fashion. Missing access control on rendering custom unprivileged dojo pages causes ability for users to create stored XSS...
CVE-2024-42169
HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data...
Missing access control on endpoint to list all evaluations in lunary-ai/lunary
Description The /v1/evaluators/ route allows users to fetch all evaluators of a project by sending a GET request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can access evaluator data. The current implementation: Does not...
CVE-2024-41108
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that...
PT-2024-27471 · User Oidc · User Oidc
Name of the Vulnerable Software and Affected Versions: user oidc app versions prior to 3.0.0 user oidc app versions prior to 4.0.0 user oidc app versions prior to 5.0.0 Description: The issue is related to missing access control on the ID4me endpoint, allowing an attacker to register an account a...
GHSA-R978-9M6M-6GM6 Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher addWatch command to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when th...
Apache Zookeeper 信息泄露漏洞
Apache Zookeeper is a software project of the U.S. Apache Apache Foundation, which is able to provide open source distributed configuration services, synchronization services, and naming registry for large-scale distributed computing. Apache ZooKeeper has an information disclosure vulnerability...
PT-2024-20674 · Jetbrains · Teamcity
Name of the Vulnerable Software and Affected Versions: JetBrains TeamCity versions prior to 2023.11.2 Description: The issue is related to missing access control at the S3 Artifact Storage plugin endpoint. This could potentially allow unauthorized access. Recommendations: For versions prior to...
CVE-2023-34063
Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...
CVE-2023-34063
Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows...
CVE-2023-34063
VMware Aria Automation (formerly vRealize Automation) is affected by CVE-2023-34063 due to a Missing Access Control flaw. An authenticated attacker could gain unauthorized access to remote organizations and workflows. The vulnerability affects Aria Automation prior to fixed builds; no exploit det...