15 matches found
CVE-2026-57307
CVE-2026-57307 describes a vulnerability in the Jenkins Zowe zDevOps Plugin (1.1.3.50.ve350c9b_450b_1 and earlier) where a missing permission check allows users with Overall/Read to initiate connections to attacker-specified URLs using attacker-specified credentials IDs. This can lead to credenti...
BIT-MONGODB-2026-11933 Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...
CVE-2026-47744
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...
CVE-2026-47744
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...
PT-2026-44944
Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0 Description Two authorization defects in the team settings allow an authenticated user to compromise the Role-Based Access Control RBAC system. The endpoint "Settings/Team/Index" lacks mount authorization,...
CVE-2026-23980
Apache Superset CVE-2026-23980 describes an SQL injection issue (improper neutralization of special elements) that can be exploited by an authenticated user with read access via sqlExpression or where parameters. Affected software: Superset versions before 6.0.0. Impact as per CVSS: MEDIUM (5.3),...
CVE-2026-23980 Apache Superset: Improper Neutralization of Special Elements used in a SQL Command
Improper Neutralization of Special Elements used in a SQL Command 'SQL Injection' vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users...
CVE-2025-11862
A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API...
CVE-2025-11862 Verve Asset Manager Access Control Vulnerability
A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API...
Design/Logic Flaw
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this...
CVE-2022-23709
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this...
CVE-2022-23709
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this...
PT-2019-11868 · Jenkins · Jenkins Global Post Script Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Global Post Script Plugin affected versions not specified Description: The issue is related to a missing permission check in the Jenkins Global Post Script Plugin. This allows users with Overall/Read access to list the scripts availab...
CloudBees Jenkins VMware Lab Manager Slaves Plugin Authorization Issue Vulnerability (CNVD-2019-30405)
CloudBees Jenkins Hudson Labs is a set of Java-based continuous integration tools from CloudBees, Inc. The product is mainly used to monitor continuous software version release/testing projects and some timed tasks.VMware Lab Manager Slaves Plugin is used in which a plugin for controlling virtual...
PT-2019-11389 · Jenkins · Jenkins Openid Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins openid Plugin affected versions not specified Description: A missing permission check in the OpenIdSsoSecurityRealm.DescriptorImpldoValidate form validation method allows attackers with Overall/Read permission to initiate a connection...