CVE 2023-5549
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.
See the
CVE page on Mitre.org
for more details.