In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an...
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.