21 matches found
PT-2026-44941
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...
CVE-2024-23104
An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through 7.0.1 may allow a remote authenticated attacker with at...
GO-2026-4450 Gogs user can update repository content with read-only permission in gogs.io/gogs
Gogs user can update repository content with read-only permission in gogs.io/gogs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...
CVE-2026-23632
CVE-2026-23632 (Gogs) : A bug in Gogs prior to 0.13.4 allows a token with read permission to modify repository contents via the PUT /repos/:owner/:repo/contents/* endpoint. After repoAssignment() passes, PutContents() calls UpdateRepoFile(), leading to commit creation and git push, enabling unaut...
CVE-2025-66545
CVE-2025-66545 affects Nextcloud Groupfolders . A user with read-only permissions could restore a file from the trash bin in group/shared folders, before versions 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2. The issue is resolved in those respective fixed versions. If you use G...
CVE-2025-66545 Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin
Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15...
Users with read-only permissions for team folder can restore deleted files from trash bin
None...
CVE-2025-54971
An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2 all versions may allow an admin with read-only permission to get the external resources password vi...
EUVD-2025-10307
Malicious code in bioql PyPI...
EUVD-2024-54238
Malicious code in bioql PyPI...
EUVD-2024-24971
Malicious code in bioql PyPI...
EUVD-2023-54459
Malicious code in bioql PyPI...
CVE-2024-52961
An improper neutralization of special elements used in an OS Command vulnerability CWE-78 vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all version...
CVE-2024-52961
An improper neutralization of special elements used in an OS Command vulnerability CWE-78 vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all version...
CVE-2024-52961
CVE-2024-52961 affects Fortinet FortiSandbox OS command handling. Affected are FortiSandbox versions 3.0–5.0.0 (various 3.x and 4.x releases; 5.0.0 cited). The vulnerability is due to improper neutralization of specific elements used in an OS command, allowing an authenticated attacker with read-...
CVE-2023-4606
An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected...
PT-2023-29817 · Lenovo · Thinksystem
Name of the Vulnerable Software and Affected Versions: ThinkSystem versions v2 and v3 Description: An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This issue affects ThinkSystem servers with XCC. Recommendations: For...
Huawei EulerOS: Security Advisory for libvirt (EulerOS-SA-2023-1348)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
HackerOne: Email Address Leak
Hello, I have found out that when a team invites a team member via username, the email address of the invited user is being disclosed after he accepted it. This can be abused since we all know that the email address is not publicly visible through hackerone profile. One team can abuse its functio...
HackerOne: User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports
Poc : 1.Login into Programtestbug as owner account 2.Create a new group with "Reward" Permission . Add a user to that group 3.Create a new group with "Read-only" Permission . Add a user to that group 3.Login into user account Report a bug to Program testbug 4."Reward" Permission User awarded a sw...