108 matches found
PT-2024-19394 · Nextcloud · Nextcloud Files Zip App
Name of the Vulnerable Software and Affected Versions: Nextcloud files Zip app versions prior to 1.2.1 Nextcloud files Zip app versions prior to 1.4.1 Nextcloud files Zip app versions prior to 1.5.0 Description: The Nextcloud files Zip app is a tool to create zip archives from one or multiple fil...
Nextcloud Security Breach
Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud files Zip 1.2.0 and later, which originates from an attacker being able to download view-only files by...
Nextcloud: Can download files by zipping the folder
A vulnerability was identified where files could be downloaded without proper permissions by zipping and downloading a folder, despite not having direct download access. This allowed circumvention of view-only restrictions...
CVE-2023-41723
A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes...
SUSE CVE-2019-19118
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...
CVE-2022-22415
A vulnerability exists where an IBM Robotic Process Automation 21.0.1 regular user is able to obtain view-only access to some admin pages in the Control Center IBM X-Force ID: 223029...
CVE-2022-22415
The IBM Security Bulletin (CVE-2022-22415) notes that IBM Robotic Process Automation Server versions before 21.0.1.3 permit regular users to view some admin pages in the Control Center, an information-disclosure risk. The issue affects IBM RPA Server (on-premises) and is mitigated by upgrading to...
CVE-2022-22415
A vulnerability exists where an IBM Robotic Process Automation 21.0.1 regular user is able to obtain view-only access to some admin pages in the Control Center IBM X-Force ID: 223029...
Improper Privilege Management in heroiclabs/nakama
Description A predefined View Only user has access to the User Management function at the :7351//users endpoint. By default this is a predefined system administrator function, and no other users should be able to access this function. Proof of Concept - Create a View-only user with the...
Online Railway Reservation System 1.0 - Remote Code Execution Vulnerability
Exploit Title: Online Railway Reservation System 1.0 - Remote Code Execution RCE Unauthenticated Exploit Author: Zachary Asher Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html Software Link:...
CVE-2021-22944
A vulnerability found in UniFi Protect application V1.18.1 and earlier allows a malicious actor with a view-only role and network access to gain the same privileges as the owner of the UniFi Protect application. This vulnerability is fixed in UniFi Protect application V1.19.0 and later...
CVE-2021-22944
The CVE-2021-22944 vulnerability affects UniFi Protect (versions 1.18.1 and earlier) where a user with a view-only role and network access can gain the same privileges as the application owner. The issue is described as an access control error leading to privilege escalation. The fixed version is...
Ubiquiti Networks UniFi Protect 访问控制错误漏洞
An access control error vulnerability exists in Ubiquiti Networks UniFi Protect, a network video recorder from Ubiquiti Networks, Inc. The vulnerability is caused by the product not adding effective privilege control for accessers with view-only access, network access. An attacker could use this...
CVE-2021-27900
The Proofpoint Insider Threat Management Server formerly ObserveIT Server is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected...
CVE-2021-27900
The Proofpoint Insider Threat Management Server formerly ObserveIT Server is missing an authorization check on several pages in the Web Console. This enables a view-only user to change any configuration setting and delete any registered agents. All versions before 7.11.1 are affected...
CVE-2021-3165
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the //CampaignManager/users URI...
CVE-2020-7300
Improper Authorization vulnerability in McAfee Data Loss Prevention DLP ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages...
CVE-2020-8188
We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can r...
DEBIAN-CVE-2019-19118
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...
PYSEC-2019-15
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...