Fix security issue: a user with Project-Admin capabilities can utilize and exploit SQL Injection to read secrets from the underlying database or conduct privilege escalation.
Fix security issue: An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.
Fix security issue: a normal user to gain administrator account privileges by making an API call to modify the email address of a specific user
Fix security issue: Non-administrator users (such as those created via self-registration) can list all usernames and user IDs by sending a GET request to /api/users/search with no parameters
Fix security issue: without protection against Cross-Site Request Forgery (CSRF), an attacker can execute any action on the platform in the context of the currently authenticated victim