Lucene search
K

6 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.8 views

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

3.3CVSS5.4AI score0.00247EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42404

Name of the Vulnerable Software and Affected Versions Mattermost version 11.5.1 Description An issue exists where the system fails to validate the team-level run create permission against the target team during the creation of a playbook run. This allows an authenticated team member to create run...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References10
Snyk
Snyk
added 2026/04/24 4:17 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Team API endpoints due to improper authorization checks in the TeamController process. An attacker can gain unauthorized access to modify any team's membership, customer assignments, project assignments, and...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References2
OSV
OSV
added 2026/04/24 4:17 p.m.4 views

GHSA-JV9X-W4GM-HWCM Kimai has Missing Object-Level Authorization in the Team API

Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/24 4:17 p.m.16 views

Kimai has Missing Object-Level Authorization in the Team API

Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...

3.3CVSS5.5AI score0.00247EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/05/29 6:31 p.m.7 views

GHSA-4MMR-2W8P-WHCR Mattermost improperly allows team administrators to modify team invites

Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the...

5.3CVSS7AI score0.00265EPSS
Exploits0References4
Rows per page
Query Builder