Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-6981

Summary
Assigner-GitHub_P
Assigner Org ID-82327ea3-741d-41e4-88f8-2cf9e791e760
Published At-15 Jul, 2025 | 20:44
Updated At-16 Jul, 2025 | 19:04
Rejected At-
Credits

Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_P
Assigner Org ID:82327ea3-741d-41e4-88f8-2cf9e791e760
Published At:15 Jul, 2025 | 20:44
Updated At:16 Jul, 2025 | 19:04
Rejected At:
▼CVE Numbering Authority (CNA)
Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Affected Products
Vendor
GitHub, Inc.GitHub
Product
Enterprise Server
Default Status
affected
Versions
Affected
  • From 3.14.0 before 3.14.15 (semver)
    • -> unaffectedfrom3.14.15
  • From 3.15.0 before 3.15.10 (semver)
    • -> unaffectedfrom3.15.10
  • From 3.16.0 before 3.16.6 (semver)
    • -> unaffectedfrom3.16.6
  • From 3.17.0 before 3.17.3 (semver)
    • -> unaffectedfrom3.17.3
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15
release-notes
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10
release-notes
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6
release-notes
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3
release-notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15
Resource:
release-notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10
Resource:
release-notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6
Resource:
release-notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3
Resource:
release-notes
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:product-cna@github.com
Published At:15 Jul, 2025 | 21:15
Updated At:27 Aug, 2025 | 14:41

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CPE Matches

GitHub, Inc.
github
>>enterprise_server>>Versions before 3.14.5(exclusive)
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
GitHub, Inc.
github
>>enterprise_server>>Versions from 3.15.0(inclusive) to 3.15.10(exclusive)
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
GitHub, Inc.
github
>>enterprise_server>>Versions from 3.16.0(inclusive) to 3.16.6(exclusive)
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
GitHub, Inc.
github
>>enterprise_server>>Versions from 3.17.0(inclusive) to 3.17.3(exclusive)
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-863Secondaryproduct-cna@github.com
CWE ID: CWE-863
Type: Secondary
Source: product-cna@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15product-cna@github.com
Release Notes
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10product-cna@github.com
Release Notes
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6product-cna@github.com
Release Notes
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3product-cna@github.com
Release Notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.15
Source: product-cna@github.com
Resource:
Release Notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.10
Source: product-cna@github.com
Resource:
Release Notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.6
Source: product-cna@github.com
Resource:
Release Notes
Hyperlink: https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.3
Source: product-cna@github.com
Resource:
Release Notes

Change History

0
Information is not available yet

Similar CVEs

167Records found

CVE-2022-2408
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.44%
||
7 Day CHG~0.00%
Published-14 Jul, 2022 | 17:25
Updated-06 Dec, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Guest accounts can list all public channels

The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-29454
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 40.76%
||
7 Day CHG~0.00%
Published-02 Dec, 2020 | 01:50
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.

Action-Not Available
Vendor-n/aUmbraco A/S (Umbraco)
Product-umbraco_cmsn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-44465
Matching Score-4
Assigner-Odoo
ShareView Details
Matching Score-4
Assigner-Odoo
CVSS Score-4.3||MEDIUM
EPSS-0.35% / 56.91%
||
7 Day CHG-0.11%
Published-25 Apr, 2023 | 18:33
Updated-03 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.

Action-Not Available
Vendor-odooOdoo
Product-odooOdoo CommunityOdoo Enterprise
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-29605
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.71%
||
7 Day CHG~0.00%
Published-29 Jan, 2021 | 06:43
Updated-04 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can have Private view status, or belong to a private Project.)

Action-Not Available
Vendor-n/aMantis Bug Tracker (MantisBT)Microsoft Corporation
Product-windowsmantisbtn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-43781
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.11% / 29.92%
||
7 Day CHG~0.00%
Published-06 Dec, 2021 | 17:45
Updated-04 Aug, 2024 | 04:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Permissions not properly checked in Invenio-Drafts-Resources

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.

Action-Not Available
Vendor-inveniosoftwareinveniosoftware
Product-invenio-drafts-resourcesinvenio-drafts-resources
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-43553
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-3.1||LOW
EPSS-0.12% / 31.39%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 18:20
Updated-16 Sep, 2024 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OSIsoft PI Vision

PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.

Action-Not Available
Vendor-osisoftOSIsoft
Product-pi_visionPI Vision
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-26506
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 37.01%
||
7 Day CHG~0.00%
Published-05 Nov, 2020 | 15:04
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Authorization Bypass vulnerability in the Marmind web application with version 4.1.141.0 allows users with lower privileges to gain control to files uploaded by administrative users. The accessed files were not visible by the low privileged users in the web GUI.

Action-Not Available
Vendor-marmindn/a
Product-marmindn/a
CWE ID-CWE-670
Always-Incorrect Control Flow Implementation
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-53902
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.17%
||
7 Day CHG~0.00%
Published-29 Jul, 2025 | 19:36
Updated-22 Aug, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tuleap exposes artifacts to a mentioned user via email notifications

Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5, users may potentially access confidential information from artifacts that they are not authorized to view. This is fixed in Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5.

Action-Not Available
Vendor-Enalean SAS
Product-tuleaptuleap
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-21713
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.53%
||
7 Day CHG~0.00%
Published-08 Feb, 2022 | 20:50
Updated-23 Apr, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in Grafana

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Action-Not Available
Vendor-Fedora ProjectNetApp, Inc.Grafana Labs
Product-e-series_performance_analyzergrafanafedoragrafana
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2020-25025
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.19%
||
7 Day CHG~0.00%
Published-02 Sep, 2020 | 16:19
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The l10nmgr (aka Localization Manager) extension before 7.4.0, 8.x before 8.7.0, and 9.x before 9.2.0 for TYPO3 allows Information Disclosure (translatable fields).

Action-Not Available
Vendor-localization_manager_projectn/a
Product-localization_managern/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-4532
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.35%
||
7 Day CHG~0.00%
Published-29 Sep, 2023 | 06:02
Updated-22 May, 2025 | 04:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLabgitlab
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2258
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 13:20
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

Action-Not Available
Vendor-Jenkins
Product-health_advisor_by_cloudbeesJenkins Health Advisor by CloudBees Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-2188
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.08%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 12:45
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-amazon_ec2Jenkins Amazon EC2 Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1124
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.66%
||
7 Day CHG~0.00%
Published-11 May, 2022 | 14:50
Updated-02 Aug, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1193
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.45%
||
7 Day CHG~0.00%
Published-11 Apr, 2022 | 19:38
Updated-02 Aug, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in GitLab CE/EE versions 10.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-1177
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-3.31% / 86.72%
||
7 Day CHG~0.00%
Published-30 Mar, 2022 | 11:00
Updated-02 Aug, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Accounting User Can Download Patient Reports in openemr in openemr/openemr

Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-1220
Insufficient Granularity of Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2013-4411
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 65.57%
||
7 Day CHG~0.00%
Published-03 Dec, 2019 | 14:39
Updated-06 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Review Board: URL processing gives unauthorized users access to review lists

Action-Not Available
Vendor-reviewboardReview BoardFedora Project
Product-reviewboardfedoraReview Board
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-41241
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.47%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 18:25
Updated-23 Apr, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced permissions is not respected for subfolders in Nextcloud server

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2023-4242
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.67%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 03:36
Updated-05 Feb, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about the site configuration as disclosed by the WordPress health check.

Action-Not Available
Vendor-fullfullservices
Product-full_-_customerFULL – Customer
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-48473
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.82%
||
7 Day CHG~0.00%
Published-29 May, 2025 | 15:27
Updated-11 Jul, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout Vulnerable to Insufficient Authorization

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179.

Action-Not Available
Vendor-freescoutfreescout-help-desk
Product-freescoutfreescout
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-39876
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 46.47%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 18:53
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-42026
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.05%
||
7 Day CHG~0.00%
Published-09 Nov, 2021 | 11:32
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them.

Action-Not Available
Vendor-mendixSiemens AG
Product-mendixMendix Applications using Mendix 9Mendix Applications using Mendix 8
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-39930
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.66%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 15:48
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-39936
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.45% / 62.76%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 15:47
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-4026
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 44.06%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 19:55
Updated-03 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in bookstackapp/bookstack

bookstack is vulnerable to Improper Access Control

Action-Not Available
Vendor-bookstackappbookstackapp
Product-bookstackbookstackapp/bookstack
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-41882
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 35.41%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 19:48
Updated-17 Sep, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vantage6 Improper Access Control vulnerability

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.

Action-Not Available
Vendor-vantage6vantage6
Product-vantage6vantage6
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-31331
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 13.39%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 07:15
Updated-08 Apr, 2025 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass vulnerability in SAP NetWeaver

SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-39965
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.10%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 17:42
Updated-04 Oct, 2024 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1Panel Unauthorized access in Backend

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access. Attackers can freely download the file content on the target system. This may cause a large amount of information leakage. Version 1.5.0 has a patch for this issue.

Action-Not Available
Vendor-FIT2CLOUD Inc.1Panel (FIT2CLOUD Inc.)
Product-1panel1Panel1panel
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-3964
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.06%
||
7 Day CHG~0.00%
Published-01 Dec, 2023 | 07:02
Updated-03 Jun, 2025 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-34958
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.68%
||
7 Day CHG~0.00%
Published-08 Jun, 2023 | 00:00
Updated-06 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.

Action-Not Available
Vendor-chamilon/a
Product-chamilo_lmsn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-3763
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.10%
||
7 Day CHG+0.07%
Published-23 Aug, 2022 | 15:51
Updated-03 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-amq_brokerAMQ Broker
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-32672
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.99%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 13:16
Updated-26 Sep, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: SQL parser edge case bypasses data access authorization

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-3253
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.05%
||
7 Day CHG~0.00%
Published-29 Aug, 2023 | 19:08
Updated-28 Oct, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper authorization in Nessus

An improper authorization vulnerability exists where an authenticated, low privileged remote attacker could view a list of all the users available in the application.

Action-Not Available
Vendor-Tenable, Inc.
Product-nessusNessus
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-30955
Matching Score-4
Assigner-Palantir Technologies
ShareView Details
Matching Score-4
Assigner-Palantir Technologies
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.78%
||
7 Day CHG~0.00%
Published-29 Jun, 2023 | 18:46
Updated-28 Oct, 2024 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foundry workspace-server Developer Mode Authorization Bypass

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

Action-Not Available
Vendor-palantirPalantir
Product-foundry_workspace-servercom.palantir.workspace:workspace
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-2045
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.28%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 13:04
Updated-06 Aug, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access to potentially sensitive project analytics data.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-0652
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.99%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 05:55
Updated-08 Aug, 2025 | 01:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-27525
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-3.1||LOW
EPSS-0.12% / 32.34%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 16:28
Updated-15 Oct, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: Incorrect default permissions for Gamma role

An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-27523
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-5||MEDIUM
EPSS-0.05% / 16.49%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 12:55
Updated-26 Sep, 2024 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: Improper data permission validation on Jinja templated queries

Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-27485
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.90%
||
7 Day CHG~0.00%
Published-07 Mar, 2023 | 18:26
Updated-25 Feb, 2025 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient verification of authorisation when accessing subresults in thmmniii/fbs-core

thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit `f1ae67d8bb2`and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-thmthm-mni-ii
Product-feedbacksystemfeedbacksystem
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-22251
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 44.75%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-05 Mar, 2025 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce Incorrect Authorization Security feature bypass

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.

Action-Not Available
Vendor-Adobe Inc.
Product-magento_open_sourcecommerceMagento Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-1158
Matching Score-4
Assigner-Hitachi Vantara
ShareView Details
Matching Score-4
Assigner-Hitachi Vantara
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.20%
||
7 Day CHG~0.00%
Published-24 May, 2023 | 21:26
Updated-16 Jan, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 

Action-Not Available
Vendor-Hitachi Vantara LLCHitachi, Ltd.
Product-vantara_pentaho_business_analytics_servervantara_pentahoPentaho Business Analytics Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-4128
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.03% / 7.55%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 10:25
Updated-08 Jul, 2025 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mattermost Guest User Information Disclosure Vulnerability

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-36091
Matching Score-4
Assigner-OTRS AG
ShareView Details
Matching Score-4
Assigner-OTRS AG
CVSS Score-3.5||LOW
EPSS-0.15% / 35.92%
||
7 Day CHG~0.00%
Published-26 Jul, 2021 | 04:25
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unautorized access to the calendar appointments

Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

Action-Not Available
Vendor-OTRS AG
Product-otrs((OTRS)) Community EditionOTRS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-28357
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.26%
||
7 Day CHG~0.00%
Published-11 May, 2023 | 00:00
Updated-27 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.Chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-23751
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.21%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 21:12
Updated-29 Mar, 2025 | 04:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[20230102] - Core - Missing ACL checks for com_actionlogs

An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-24600
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.90%
||
7 Day CHG~0.00%
Published-29 May, 2023 | 00:00
Updated-14 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX App Suite before backend 7.10.6-rev37 allows authenticated users to bypass access controls (for reading contacts) via a move to their own address book.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-ox_app_suiten/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-5533
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 37.30%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 22:14
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In VMware SD-WAN by VeloCloud versions 3.x prior to 3.3.0, the VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. Among the information is username, first and last name, phone numbers and e-mail address if present but no other personal data. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-sd-wan_by_velocloudSD-WAN by VeloCloud
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-4509
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.70%
||
7 Day CHG~0.00%
Published-09 Nov, 2019 | 01:41
Updated-17 Sep, 2024 | 01:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to incorrect authorization in some components which could allow an authenticated user to obtain sensitive information. IBM X-Force ID: 164430.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_security_information_and_event_managerQRadar
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-3848
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.46%
||
7 Day CHG~0.00%
Published-26 Mar, 2019 | 00:00
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)

Action-Not Available
Vendor-[UNKNOWN]Moodle Pty Ltd
Product-moodlemoodle
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-4745
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 39.77%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 15:35
Updated-17 Sep, 2024 | 02:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to disclose sensitive information to an authenticated user due to disclosing path information in the URL. IBM X-Force ID: 172883.

Action-Not Available
Vendor-IBM Corporation
Product-maximo_for_transportationmaximo_for_life_sciencesmaximo_asset_managementmaximo_for_oil_and_gasmaximo_for_utilitiesmaximo_for_nuclear_powermaximo_for_aviationMaximo Asset Management
CWE ID-CWE-863
Incorrect Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found