In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration
In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool
In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects
In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.
In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.
In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files
In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives
In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
In JetBrains TeamCity before 2025.03 base64 encoded password could be exposed in build log
In JetBrains TeamCity before 2020.1.5, the Guest user had access to audit records.
In JetBrains TeamCity before 2023.05.1 build chain parameters of the "password" type could be written to the agent log
In JetBrains TeamCity before 2023.05.1 parameters of the "password" type could be shown in the UI in certain composite build configurations
In JetBrains TeamCity before 2023.05.1 build parameters of the "password" type could be written to the agent log
In JetBrains TeamCity before 2023.05 parameters of the "password" type from build dependencies could be logged in some cases
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
In JetBrains TeamCity before 2024.07.3 password could be exposed via Sonar runner REST API
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
In JetBrains TeamCity before 2024.03.2 users could perform actions that should not be available to them based on their permissions
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 improper access control in Pull Requests and Commit status publisher build features was possible
In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled
In JetBrains TeamCity before 2023.11.4 presigned URL generation requests in S3 Artifact Storage plugin were authorized improperly
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
In JetBrains TeamCity before 2023.05 improper permission checks allowed users without appropriate permissions to edit Build Configuration settings via REST API
In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible
In JetBrains TeamCity before 2020.2.1, permissions during token removal were checked improperly.
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5, 2024.03.2 a third-party agent could impersonate a cloud agent
app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.
In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them.
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.
A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial target and potentially leading to broader security vulnerabilities.
Review Board: URL processing gives unauthorized users access to review lists
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.
bookstack is vulnerable to Improper Access Control
IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. IBM X-Force ID: 164430.
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.
IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883.