CVEs
List of my CVES
24 published entries
Family-scoped API endpoints trusted attacker-controlled family IDs, letting low-privileged users read and create notes on unrelated family records.
Missing function-level authorization on Settings Livewire actions let low-privileged users delete tax, zone, shipping, and carrier configuration used by checkout.
Stored XSS in Wikimedia chart pie tooltips allowed Data namespace field titles to reach the ECharts HTML tooltip renderer.
Stored XSS in page list view breadcrumbs let attacker-controlled page titles execute in the SilverStripe CMS admin interface.
Missing object-level authorization on notification export let any authenticated user download arbitrary notification attachments by iterating IDs.
Non-admin users granted remote download permission could make Cloudreve fetch loopback and internal URLs, then read the imported response body from their own files.
The backend FileUpload widget trusted posted file IDs globally, letting any authenticated backend user target unrelated attachment records and modify metadata or ordering.
A CRUD delete helper precedence bug let real HTTP DELETE requests bypass failed validation, leading to runtime-confirmed cross-organisation galaxy deletion.
Public customer document tokens could cross company boundaries through EmailLog type confusion, and JSON endpoints kept accepting expired tokens.
Direct event media endpoints let low-privileged users fetch private snapshots, frames, videos, and HLS media from monitors they were denied access to.
Quick Creation Command endpoints missed create authorization checks and let authenticated Sharp users bypass create permission on configured entities.
A stored future DDNS profile ID could later resolve to another user profile and be consumed by the DDNS worker in attacker server context.
The single meeting agenda item API disclosed private work package data from a linked work package in an inaccessible project.
Cross-user Fixer/API Layer credential consumption in exchange-rate refresh let one user trigger provider-backed actions through another user's stored credential.
Cross-user subscription cost inference via replacement_subscription_id let an authenticated user infer another user subscription cost through unscoped stats dereferencing.
Inconsistent scope enforcement for AttachAction and AssociateAction Select fields let out-of-scope records pass through backend validation.
Authenticated cross-tenant credential disclosure exposed another client secrets through an unprotected credential modal.
Payment methods, currencies, and carriers exposed inline toggles and record actions without proper per-action authorization checks.
Team settings authorization defects let authenticated panel users take over the RBAC system itself.
Multiple admin Livewire issues led to data tampering, sensitive data disclosure, and stored XSS.
Product editor sub-form Livewire components accepted unauthorized store actions and allowed tampering without the required permission.
A discount race condition enabled silent over-redemption and effectively bypassed the per-user usage limit.
Missing authorization on order mutation actions let low-privileged authenticated users mutate order state without the required write permission.
A generic download endpoint let authenticated users use one valid record as an authorization anchor to download unrelated Laravel Storage objects.