PT-2026-34029

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit, which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can...

CVE-2025-1007

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/namespace/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in...

EUVD-2012-2687

Malware in sbrugna...

EUVD-2022-33882

Malicious code in bioql PyPI...

EUVD-2025-5091

Malicious code in bioql PyPI...

EUVD-2022-42715

Malicious code in bioql PyPI...

CVE-2025-42987

SAP Manage Processing Rules For Bank Statement allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application...

SAP Manage Processing Rules 安全漏洞

SAP is enterprise applications, enterprise resource management applications, supply chain management applications, procurement applications, travel and expense management software. An authorization issue vulnerability exists in SAP Manage Processing Rules, which stems from insufficient...

CVE-2021-24800

The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments...

CVE-2025-3874 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and...

CVE-2024-12048

An IDOR Insecure Direct Object Reference vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization...

CVE-2025-1007

CVE-2025-1007 affects OpenVSX, specifically versions v0.9.0 through v0.20.0. The vulnerability arises in the /user/namespace/{namespace}/details API (and the related /user/namespace/{namespace}/details/logo) where a non-owner/non-contributor user can edit all namespace details (name, description,...

PT-2025-7484 · Openvsx · Openvsx

Name of the Vulnerable Software and Affected Versions: OpenVSX versions v0.9.0 through v0.20.0 Description: The issue allows a user to edit all namespace details, including name, description, website, support link, and social media links, even if the user is not a namespace Owner or Contributor...

CVE-2023-36477

XWiki Platform (CKEditor integration) is affected by a persistent XSS vulnerability exploitable by any authenticated user with edit rights who can modify pages in the CKEditor space. The issue enables editing actions that can lead to loss of service and unauthorized modification of CKEditor confi...

Design/Logic Flaw

In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API...

CVE-2023-32680

Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that:...

CVE-2023-26839

A cross-site request forgery CSRF vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site...

CVE-2022-3325

Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user...

PT-2022-21757 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 12.8 through 15.2.5 GitLab CE/EE versions 15.3 through 15.3.4 GitLab CE/EE versions 15.4 through 15.4.1 Description: The issue is related to improper access control in the GitLab CE/EE API. This allows an unauthorized us...

CVE-2020-35759

bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content Locally/Remotely...