| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available. |
| Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com) |
| An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete posts. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. |
| Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user. |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. |
