3 matches found
GHSA-CJ9G-27PH-4CGV wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The RoutinePermission class grants read access to any authenticated user when a routine has...
Authorization Bypass Through User-Controlled Key
Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, a...
CVE-2021-0986
In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User...