16 matches found
CVE-2026-43889
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorize...
CVE-2026-43889
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorize...
CVE-2026-43889
Outline is vulnerable prior to 1.7.0 due to the shares.create API accepting both collectionId and documentId and, when published=false, skipping the share-permission check. A subsequent shares.update permits publication using an OR policy (can share collection OR can share document), allowing an ...
PT-2026-39857
Name of the Vulnerable Software and Affected Versions Outline versions prior to 1.7.0 Description The 'shares.create' API accepts both collectionId and documentId simultaneously. When published is set to false, the system only verifies read access for each, skipping the required share permission...
CVE-2026-32761
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges perm.download = false but granted share...
CVE-2026-32761 File Browser has an Authorization Policy Bypass in its Public Share Download Flow
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges perm.download = false but granted share...
CVE-2026-32761 File Browser has an Authorization Policy Bypass in its Public Share Download Flow
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges perm.download = false but granted share...
GHSA-68J5-4M99-W9W9 File Browser has an Authorization Policy Bypass in Public Share Download Flow
Summary A permission enforcement flaw allows users without download privileges download=false to still expose and retrieve file content via public share links when they retain share privileges share=true. This bypasses intended access control policy and enables unauthorized data exfiltration to...
CVE-2025-66557
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This...
CVE-2025-66557 Nextcloud Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This...
CVE-2025-66557 Nextcloud Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This...
CVE-2025-66557 Nextcloud Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This...
Deck app allowed user with "Can share" permission to modify permissions of other non-owners
None...
PT-2025-49299
Name of the Vulnerable Software and Affected Versions Nextcloud Deck versions prior to 1.14.6 Nextcloud Deck versions prior to 1.15.2 Description Nextcloud Deck is a kanban style organization tool for personal and team project management integrated with Nextcloud. A flaw in the permission logic...
Nextcloud: Deck app allowed user with "Can share" permission to modify permissions of other non-owners
The Deck app in Nextcloud allowed users with "Can share" permission to modify the permissions of other non-owners...
ownCloud < 10.2.1 Share Permission Vulnerability
ownCloud is prone to a vulnerability where it is possible to extend internal-share permissions using the API. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier...