A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) re
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups vi
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to per
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and th
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publ
Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated att
Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session va
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /system/role/authUser/selectAll. Performing manipulation of the argument use
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privileg
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list v
An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated p
SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid
Authorization Bypass Through User-Controlled Key vulnerability in AKIN Software Computer Import Export Industry and Trade Co. Ltd. QRMenu allows Privilege Abuse.
This issue affects QRMenu: from 1.05.
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with
Missing Authorization vulnerability in mingocommerce Delete All Posts allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Delete All Posts: through 1.1.1.
An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface enables an unauthenticated attacker with network access to the management web interface to dele
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from gro
A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulat
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow