Cerebrate-project ≫ Cerebrate

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields ...

Cerebrate before 1.15 lacks the Secure attribute for the session cookie.

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users.

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.

An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description.

An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.

An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled.

An issue was discovered in Cerebrate through 1.4. Username enumeration could occur.

An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component.