Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-10033

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-09 Jan, 2023 | 20:36
Updated At-06 Aug, 2024 | 08:58
Rejected At-
Credits

jvvlee MerlinsBoard Grade improper authorization

A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:09 Jan, 2023 | 20:36
Updated At:06 Aug, 2024 | 08:58
Rejected At:
▼CVE Numbering Authority (CNA)
jvvlee MerlinsBoard Grade improper authorization

A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.

Affected Products
Vendor
jvvlee
Product
MerlinsBoard
Modules
  • Grade Handler
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
CWECWE-285CWE-285 Improper Authorization
Type: CWE
CWE ID: CWE-285
Description: CWE-285 Improper Authorization
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
3.03.5LOW
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
2.03.7N/A
AV:A/AC:L/Au:M/C:N/I:P/A:P
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Version: 3.0
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Version: 2.0
Base score: 3.7
Base severity: N/A
Vector:
AV:A/AC:L/Au:M/C:N/I:P/A:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
tool
VulDB GitHub Commit Analyzer
Timeline
EventDate
Advisory disclosed2023-01-09 00:00:00
CVE reserved2023-01-09 00:00:00
VulDB entry created2023-01-09 01:00:00
VulDB entry last update2023-01-30 15:06:11
Event: Advisory disclosed
Date: 2023-01-09 00:00:00
Event: CVE reserved
Date: 2023-01-09 00:00:00
Event: VulDB entry created
Date: 2023-01-09 01:00:00
Event: VulDB entry last update
Date: 2023-01-30 15:06:11
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.217713
vdb-entry
technical-description
https://vuldb.com/?ctiid.217713
signature
permissions-required
https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5
patch
Hyperlink: https://vuldb.com/?id.217713
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.217713
Resource:
signature
permissions-required
Hyperlink: https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5
Resource:
patch
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.217713
vdb-entry
technical-description
x_transferred
https://vuldb.com/?ctiid.217713
signature
permissions-required
x_transferred
https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5
patch
x_transferred
Hyperlink: https://vuldb.com/?id.217713
Resource:
vdb-entry
technical-description
x_transferred
Hyperlink: https://vuldb.com/?ctiid.217713
Resource:
signature
permissions-required
x_transferred
Hyperlink: https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5
Resource:
patch
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:09 Jan, 2023 | 21:15
Updated At:17 May, 2024 | 01:03

A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The identifier of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Secondary3.13.5LOW
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Secondary2.03.7LOW
AV:A/AC:L/Au:M/C:N/I:P/A:P
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 3.7
Base severity: LOW
Vector:
AV:A/AC:L/Au:M/C:N/I:P/A:P
CPE Matches
merlinsboard_project
merlinsboard_project
>>merlinsboard>>Versions before 2015-03-19(exclusive)
cpe:2.3:a:merlinsboard_project:merlinsboard:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-863Primarynvd@nist.gov
CWE-285Secondarycna@vuldb.com
CWE ID: CWE-863
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-285
Type: Secondary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5cna@vuldb.com
Patch
Third Party Advisory
https://vuldb.com/?ctiid.217713cna@vuldb.com
Third Party Advisory
https://vuldb.com/?id.217713cna@vuldb.com
Third Party Advisory
Hyperlink: https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5
Source: cna@vuldb.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://vuldb.com/?ctiid.217713
Source: cna@vuldb.com
Resource:
Third Party Advisory
Hyperlink: https://vuldb.com/?id.217713
Source: cna@vuldb.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2026-25963
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-1.2||LOW
EPSS-0.03% / 8.11%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 02:49
Updated-27 Feb, 2026 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fleet: Authorization Bypass in certificate template batch deletion for team administrators

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team. As a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams. This issue does not allow privilege escalation, access to sensitive data, or compromise of Fleet’s control plane. Impact is limited to integrity and availability of certificate templates across teams. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.

Action-Not Available
Vendor-fleetdmfleetdm
Product-fleetfleet
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-59111
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-6.9||MEDIUM
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 13:26
Updated-05 Dec, 2025 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Broken Access Control in Windu CMS

Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

Action-Not Available
Vendor-winduJCD
Product-windu_cmsWindu CMS
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-3504
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.14% / 33.63%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 17:53
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in lunary-ai/lunary

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

Action-Not Available
Vendor-Lunary LLC
Product-lunarylunary-ai/lunarylunary
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-49145
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.05% / 16.54%
||
7 Day CHG~0.00%
Published-10 Nov, 2025 | 21:10
Updated-21 Nov, 2025 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iTop admin can drop iTop database using webhooks

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-863
Incorrect Authorization
Details not found