6 matches found
CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts
Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php
Summary The contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring roladministrator=true and the contactsshowall system setting. A user manager...
EUVD-2023-2588
Malicious code in bioql PyPI...
CVE-2023-5159
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots...
CVE-2023-5159 A User Manager role with user edit permissions could manage/update bots
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots...
CVE-2023-5159 A User Manager role with user edit permissions could manage/update bots
Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots...