19 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...
CVE-2026-41498
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
EUVD-2026-28495
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
CVE-2026-41498 Kimai: Team API Missing Object-Level Authorization
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
CVE-2026-41498
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
GHSA-JV9X-W4GM-HWCM Kimai has Missing Object-Level Authorization in the Team API
Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...
Kimai has Missing Object-Level Authorization in the Team API
Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the Team API endpoints due to improper authorization checks in the TeamController process. An attacker can gain unauthorized access to modify any team's membership, customer assignments, project assignments, and...
SUSE CVE-2017-18902
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...
CVE-2025-66429
An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user...
SUSE CVE-2025-3446
Mattermost versions 10.6.x = 10.6.1, 10.5.x = 10.5.2, 10.4.x = 10.4.4, 9.11.x = 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team...
Malicious code in simple-team-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ad5da4b4631227adabb1a524dc451f3f7fce259d5c7c64d148e91f6edc74d4a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-8180 Malicious code in simple-team-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ad5da4b4631227adabb1a524dc451f3f7fce259d5c7c64d148e91f6edc74d4a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2023-27266 Disclosure of team owner email address when when accessing the teams API
Mattermost fails to honor the ShowEmailAddress setting when constructing a response to the /api/v4/users/me/teams API endpoint, allowing an attacker with team admin privileges to learn the team owner's email address in the response...
GHSA-JWFV-5HWQ-F97R Mattermost Server exposes team invite IDs through API endpoints
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...
CVE-2017-18902
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...
CVE-2017-18902
Mattermost Server contains a vulnerability affecting versions before 4.1.0, 4.0.4, and 3.10.3 where team invite IDs can be disclosed via team API endpoints. The exact root cause is not detailed in the provided documents, but the issue enables an information disclosure via the API. Impact is limit...
CVE-2017-18902
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...
Input validation
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14...