CVE-2026-24885

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery CSRF vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the...

CVE-2026-24885

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery CSRF vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the...

GHSA-28G7-896H-695V Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication

Impact This vulnerability only affects customers using group based authentication in Rancher versions up to and including 2.4.17, 2.5.11 and 2.6.2. When removing a Project Role associated to a group from a project, the bindings that grant access to cluster scoped resources for those subjects do n...

SUSE CVE-2020-12690

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...

Privilege escalation in project role template binding (PRTB) and -promoted roles

Impact An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding PRTB and -promoted roles. This issue is not present in Rancher 2.7...

GHSA-7M72-MH5R-6J3R Privilege escalation in project role template binding (PRTB) and -promoted roles

Impact An issue was discovered in Rancher versions from 2.5.0 up to and including 2.5.16 and from 2.6.0 up to and including 2.6.9, where an authorization logic flaw allows privilege escalation via project role template binding PRTB and -promoted roles. This issue is not present in Rancher 2.7...

Atlassian Jira Access Control Error Vulnerability (CNVD-2021-99668)

Atlassian Jira is a defect tracking system from Atlassian Australia. An access control error vulnerability exists in Atlassian Jira Server and Data Center, which stems from an authentication in the product's /plugins/servlet/project-config/PROJECT/roles endpoint. is corrupted, and an attacker cou...

PT-2021-23266 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Atlassian Jira Server and Data Center versions prior to 8.19.1 Description: The issue allows attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings. This is achieved throug...

openstack-keystone: OAuth1 request token authorize silently ignores roles parameter

A flaw was found in Keystone, where it inadvertently provided OAuth1 access tokens to every role assignment the creator had for a project, resulting in giving more permissions and escalated access in role assignments than intended. The greatest impact is on confidentiality...

Privilege Escalation

openstack keystone is vulnerable to privilege escalation. A low-privileged user with a limited role is able to authenticate against Keystone using an EC2 credentials to obtain all project roles of a trust/oauth/applicationcredential owner...

UBUNTU-CVE-2020-12690

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...

Restricted Work Log entries show in the Activity Stream in JIRA Server

This is a regression of bug JRASERVER-34022: Restricted Work Log entries show in the Activity Stream in JIRA Server fixed in JIRA Server including JIRA Core 7.3.8|https://jira.atlassian.com/browse/JRASERVER-34022. Apparently this is a regression and users that are not meant to see the worklogs ca...

DEBIAN-CVE-2017-2673

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...

PYSEC-2018-152

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...

USN-3448-1 keystone vulnerability

Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remote authenticated user may receive all the roles assigned to a project regardless of the federation mapping, contrary to expectations...

UBUNTU-CVE-2017-2673

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...

Restricted Work Log entries show in the Activity Stream in JIRA Server

h3. Summary When using a group comment visibility on worklogs the restriction is not applied in the Activity Stream. h3. Steps to Reproduce Set up a test user JIRA Users. Enable comment visibility to support groups as per Configuring JIRA...