10 matches found
CVE-2024-24761
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to...
CVE-2024-24761
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to...
CVE-2024-24761 Galette public pages accessibility restriction
Galette is a membership management web application for non profit organizations. Starting in version 1.0.0 and prior to version 1.0.2, public pages are per default restricted to only administrators and staff members. From configuration, it is possible to restrict to up-to-date members or to...
Shopify: Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps
Summary: Custom Apps - Permissions The store owner, collaborators and staff members can create, edit and install custom apps for their shopify store. Therefor, these users need multiple permissions. The permissions View apps developed by staff and collaborators Develop apps and Manage and install...
Path Traversal in Django
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if and only if the default admindocs templates have been...
CVE-2021-33203
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if and only if the default admindocs templates have been...
Directory traversal
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if and only if the default admindocs templates have been...
Shopify: Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections
The following report intends to disclose a bypass for 416983. It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description Signed URLs generated by Shopify Flow https://apps.shopify.com/flow use a...
Shopify: any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store
Hi, I found this cool behavior by mistake when I was testing for some GraphQL, any user have ability to comment in discounts code at discounts section can turn off comments to the other staff members include the admin/manager of the store. this happens because when the GraphQL used to create a...
Shopify: Staff members with no permission can access to the files, uploaded by the administrator
Staff members with no permission can access to the files, uploaded by the administrator Test 1 If the member has access only to the section Products, Inventory, & Collections 1. Go to the Products - Product Name - Description 2. Click the button - Add Image 3. In the section Uploaded images are a...