Lighthousekeeper1212

#15575de 53,633
17.3CVSS total
Vulnerabilidades · 3
Média
3
PT-2026-24917
6.5
2026-03-12
Git · Projectsend · CVE-2026-3977
**Name of the Vulnerable Software and Affected Versions** projectsend versions prior to r1946 **Description** A security issue has been identified in projectsend related to the AJAX Endpoints component. The problem involves a missing authorization check within an unknown `function` of this component, allowing for remote exploitation. The manipulation of the AJAX Endpoints component can lead to unauthorized access. The patch identifier for this issue is `35dfd6f08f7d517709c77ee73e57367141107e6b`. **Recommendations** Deploy the patch with identifier `35dfd6f08f7d517709c77ee73e57367141107e6b`.
PT-2026-22401
6.5
2026-02-27
Indico · Indico · CVE-2026-28352
**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.3.11 **Description** Indico, an event management system utilizing Flask-Multipass, contains a flaw in the API endpoint responsible for managing event series. This endpoint lacks a necessary access check, potentially allowing unauthorized access. The impact is limited to retrieving metadata (title, category chain, start/end date) for event series, deleting existing series, and modifying existing series. This does not grant unauthorized access to events themselves or allow tampering with user-visible event data. The affected API endpoint is '/api/v1/event series'. **Recommendations** Update to version 3.3.11 or later. As a workaround, restrict access to the series management API endpoint using the webserver.
PT-2026-22201
4.3
2026-02-26
Weblate · Weblate · CVE-2026-27457
**Nome do Software Vulnerável e Versões Afetadas** Versões do Weblate anteriores a 5.16.1 **Descrição** A API REST do Weblate `AddonViewSet` em `weblate/api/views.py` (linha 2831) não restringia adequadamente o acesso às informações dos addons com base nas permissões do usuário. Especificamente, a atribuição `queryset = Addon.objects.all()` dentro do viewset permitia que qualquer usuário autenticado, ou até mesmo usuários anônimos se `REQUIRE LOGIN` não estivesse ativado, listassem todos os addons em todos os projetos e componentes usando os endpoints da API `GET /api/addons/` e `GET /api/addons/{id}/`. Isso permitiu acesso não autorizado às configurações dos addons. **Recomendações** Atualize para a versão 5.16.1 ou posterior do Weblate.