GHSA-XQV4-XM7H-52CV Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Summary The Admidio inventory module enforces authorization for destructive operations delete, retire, reinstate only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for itemdelete, itemretire, itemreinstate, itempictureupload, itempicturesav...

AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php

Summary The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php require User::isAdmin. Details The entire...

GHSA-5Q8V-J673-M5V4 Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)

Summary The User management API endpoints GET /api/v1/users and GET /api/v1/users/id are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status. Affected Endpoints 1. GET /api/v1/users UserController::index, line ...