3 matches found
CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
CVE-2023-46648
An insufficient entropy vulnerability was identified in GitHub Enterprise Server GHES that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability...
HackerOne: Pending member invitations are not revoked on program name change
Summary: When private program updates the handle of the hackerone program, former team members can see the new updated handles using old invitation link. The invitation link looks like https://hackerone.com/invitations/ This may also be true for participants participating in private programs but ...