Tarek Ramadan

**Name of the Vulnerable Software and Affected Versions** InvoicePlane versions prior to commit debb446c **Description** The software contains an issue related to incorrect access control. Specifically, the `invoices/view` handler does not properly verify ownership before disclosing invoice data. This could allow unauthorized access to sensitive information. The vulnerable component is the `invoices/view` handler. **Recommendations** Update to a version after commit debb446c.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server version 30.0.0 **Description** Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference (IDOR) issue in the `/core/preview` endpoint. An authenticated user can access previews of arbitrary files belonging to other users by manipulating the `fileId` parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. An IDOR occurs when an application provides direct access to objects based on user-supplied input. **Recommendations** Nextcloud Server version 30.0.0: Restrict access to the `/core/preview` endpoint or implement stricter access controls to prevent unauthorized file preview access.