LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php

Summary A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result in the execution of malicious code in the context of other users'...

PT-2024-33665 · Librenms · Librenms

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0 Description: A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the token parameter when creating a new API token. This c...

Moodle Access Control Error Vulnerability

Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from an Access Control Error vulnerability that stems from insufficient access control over the inclusion of an...

GitLab 17.2 < 17.3.7 / 17.4 < 17.4.4 / 17.5 < 17.5.2 (CVE-2024-7404)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed a...

CVE-2024-7404

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow...

CVE-2024-7404

GitLab CVE-2024-7404 affects GitLab CE/EE versions: 17.2–17.3.6, 17.4–17.4.3, and 17.5–17.5.1, where a flaw in the Device OAuth flow could allow an attacker with full API access as the victim. The vulnerability enables unauthorized API access via the victim’s session, with high confidentiality im...

CVE-2024-7404 Improper Restriction of Rendered UI Layers or Frames in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow...

CVE-2024-7404

Removed by vendor...

CVE-2024-43430

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control...

CVE-2024-43430 Moodle: lack of access control when using external methods for quiz overrides

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control...

PT-2024-30580 · Moodle +1 · Moodle +1

Name of the Vulnerable Software and Affected Versions: moodle affected versions not specified Description: A flaw was found in moodle, where external API access to Quiz can override contained insufficient access control. Recommendations: At the moment, there is no information about a newer versio...

PT-2024-8175 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.3.0 through 10.0.16 Description: The issue is related to incorrect access control in the GLPI system, which can be exploited by a remote attacker to gain unauthorized access to an account through the API. An authenticated user...

Century Systems FutureNet NXR 安全漏洞

Century Systems FutureNet NXR is a series of routers from Century Systems, Japan. A security vulnerability exists in Century Systems FutureNet NXR, which arises from an initial configuration where REST-APIs are accidentally enabled during device startup, which could allow an attacker to gain acce...

Adobe FrameMaker Publishing Server 2022 < 17.0.1 (2022.0.1) Security Feature Bypass (APSB23-58)

The version of Adobe FrameMaker Publishing Server installed on the remote Windows host is prior to Adobe FrameMaker Publishing Server 2022 17.0.1. It is, therefore, affected by a vulnerability as referenced in the apsb23-58 advisory. - Adobe FrameMaker Publishing Server versions 2022 and earlier...

CVE-2023-32188

A user can reverse engineer the JWT token JSON Web Token used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE...

NeuVector 安全漏洞

NeuVector is an end-to-end container security platform from US-based NeuVector. The platform includes features such as image vulnerability management, access control and container process/filesystem protection. A security vulnerability exists in previous versions of NeuVector...

PT-2024-39480 · Unknown · Octopus Server

Name of the Vulnerable Software and Affected Versions: Octopus Server versions 2024.1.0 through 2024.1.13038 Octopus Server versions 2024.2.0 through 2024.2.9482 Octopus Server versions 2024.3.0 through 2024.3.12766 Description: This issue is related to an SQL Injection vulnerability due to...

Versa Networks Releases Advisory for a Vulnerability in Versa Director, CVE-2024-45229

Versa Networks has released an advisory for a vulnerability CVE-2024-45229link is external affecting Versa Director. A cyber threat actor could exploit this vulnerability to exercise unauthorized REST APIs. CISA urges organizations to apply necessary updates, hunt for any malicious activity, repo...

CVE-2024-8601

This vulnerability exists in TechExcel Back Office Software versions prior to 1.0.0 due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL which could lead to unauthorized acce...

CVE-2024-39715

A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server...