19 matches found
CVE-2026-47744
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...
CVE-2026-47744
CVE-2026-47744 affects Shopper: a Headless e-commerce Admin Panel. Two authorization flaws in Settings/Team enable RBAC takeover prior to version 2.8.0. First, Settings/Team/Index had no mount() authorization, allowing any authenticated panel user to load the page and perform public actions to cr...
CVE-2026-47744 Shopper: Authorization bypass and RBAC privilege escalation in team settings
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...
CVE-2026-47744 Shopper: Authorization bypass and RBAC privilege escalation in team settings
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...
shopper 授权问题漏洞
Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 had authorization-related vulnerabilities. These vulnerabilities stemmed from two authorization flaws in the team settings system: the mount method in Settings/Team/Index was not...
PT-2026-44944
Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0 Description Two authorization defects in the team settings allow an authenticated user to compromise the Role-Based Access Control RBAC system. The endpoint "Settings/Team/Index" lacks mount authorization,...
GO-2026-4523 Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server
Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...
CVE-2025-14573
Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...
EUVD-2025-206979
Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...
GHSA-CGJG-P2M2-QM4P Mattermost fails to enforce invite permissions when updating team settings
Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...
CVE-2025-14573
Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...
Mattermost 安全漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 10.11.9 and earlier, including 10.11.x, have security vulnerabilities. These vulnerabilities stem from the lack of enforceable invitation permissions during the update...
EUVD-2022-24860
Malicious code in bioql PyPI...
Sensitive Information Disclosure
LiteLLM is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper error handling due to an issue in proxyserver.py that leaks Langfuse API keys when an error occurs while parsing team settings, potentially exposing full access to stored requests...
Exposure of Sensitive Information Through Metadata
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata due to an issue in proxyserver.py. An attacker can obtain sensitive information, including API keys, by triggering error...
Mattermost Incorrect Authorization vulnerability
Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...
Soccer Engine – Soccer Plugin for WordPress < 1.13 - Cross-Site Request Forgery
Description The Soccer Engine – Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation when saving match and team settings. This makes it possible for...
Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC The teamcolor field ie "Main color" setting of a team is affected POST /wp-admin/post.php HTTP/1.1 Accept:...
CVE-2021-41101 CORS `Access-Control-Allow-Origin` settings are too lenient
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS Access-Control-Allow-Origin header set by nginz is set for all subdomains of .wire.com including wire.com. This means that if somebody were to find an XSS vector in any of the...