A flaw was found in KubeVirt’s Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain...
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository...
IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom...
CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS...
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn’t properly limit the scope of edits. This issue has been fixed in version 5.17. More information...
Adobe Photoshop Installer was affected by an Uncontrolled Search Path Element vulnerability that could have resulted in arbitrary code execution in the context of the current user. A low-privileged local attacker could have exploited...
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to...
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project “Administration” role) can configure machine translation service URLs pointing to arbitrary internal...
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn’t perform proper access control. This issue has been fixed in version...
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn’t filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue...
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn’t restrict possible redirects. This issue has been fixed in version...
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing...
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn’t verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17....
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user’s current ACL token. This allows an authenticated GUI user with access in one...