4 matches found
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
Rocket.Chat: It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.
Description: ===================== For the user with "View Private Room" permission only it is possible to rewrite permission role e.g. to admin in /api/v1/me method response via some proxy tools e.g. Charles and get access to servers permissions matrix and view Direct messages. Releases Affected...