22 matches found
CVE-2026-45281 Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the...
EUVD-2026-24020
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by...
CVE-2026-41331 OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by...
EUVD-2026-13021
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist...
EUVD-2025-208829
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management cUsers.cfc addToGroup method that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token...
CVE-2024-3127
An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL...
CVE-2013-1908
The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper verification of user permissions when accessing groups. An attacker can view unauthorized group information by crafting a malicious API request. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper verification of user permissions when accessing groups. An attacker can view unauthorized group information by crafting a malicious API request. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper verification of user permissions when accessing groups. An attacker can view unauthorized group information by crafting a malicious API request. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the improper verification of user permissions when accessing groups. An attacker can view unauthorized group information by crafting a malicious API request. Remediation Upgrade...
Q-Free MAXTIME Suite 安全漏洞
Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. A security vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions that originates from a missing authorization in maxprofile/user-groups/routes.lua. An attacker exploiting this...
Vaultwarden 安全漏洞
Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust by Daniel García Personal Developer. A security vulnerability exists in Vaultwarden versions prior to 1.32.6 that stems from insufficient permission checking of the Groups in Organizations feature, allowing a...
data.all 安全漏洞
data.all is an open source development framework from data-dot-all open source. A security vulnerability exists in data.all versions prior to 2.6.0, which stems from the ability of an authenticated user to perform a mutated UPDATE operation on a persistent notification record in data.all to targe...
PT-2024-7956 · Siemens · Sinema Remote Connect Server
Name of the Vulnerable Software and Affected Versions: SINEMA Remote Connect Server versions prior to V3.2 SP1 Description: The issue is related to improper authorization. It allows a remote attacker to gain unauthorized access to participant groups they should not have access to. The vulnerabili...
CVE-2023-37498 HCL Unica Platform is vulnerable to a privilege escalation by unauthorized group assignation
A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their privileges...
CVE-2023-27310
A vulnerability has been identified in RUGGEDCOM CROSSBOW All versions V5.2. The client query handler of the affected application fails to check for proper permissions when assigning groups to user accounts. This could allow an authenticated remote attacker to assign administrative groups to...
CVE-2022-46677
Wyse Management Suite 3.8 and below contain an improper access control vulnerability with which an custom group admin can create a subgroup under a group for which the admin is not authorized...
CVE-2022-0358
A flaw was found in the QEMU virtio-fs shared file system daemon virtiofsd implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certa...
CVE-2021-46416
Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling...