PT-2024-5874 · Hashicorp +2 · Vault Enterprise +3

Name of the Vulnerable Software and Affected Versions: Vault and Vault Enterprise versions prior to 1.15.12 Vault and Vault Enterprise versions prior to 1.16.6 Vault and Vault Enterprise versions prior to 1.17.2 Description: The issue is related to the improper handling of requests originating fr...

CVE-2024-34696

Geoserver CVE-2024-34696 describes exposure of environment variables and Java system properties via the Server Status page and REST API, accessible to administrators. The issue affects GeoServer 2.10.0 up to versions before 2.24.4 and 2.25.1, where environment data (e.g., database passwords, API ...

CVE-2024-34696 GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...

CVE-2024-37905

The CVE-2024-37905 entry concerns the github.com/goauthentik/authentik project. Affected: authentic API-Access-Token mechanism that can be exploited to gain admin privileges, enabling full admin access and actions like resetting passwords. Root cause: improper access control/authorization related...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

PT-2024-27821

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.2.4 authentik versions prior to 2024.4.2 authentik versions prior to 2024.4.3 authentik versions prior to 2024.6.0 Description The authentik API-Access-Token mechanism can be exploited to gain admin user...

Toshiba e-STUDIO Security Vulnerability

Toshiba e-STUDIO is a series of high-end office multifunction printers from Toshiba, Japan. A security vulnerability exists in Toshiba e-STUDIO that originates from the presence of a method of unauthorized access to certain APIs of the multifunction device's internal programs, which could allow...

iFrames Bypass Origin Checks for Tauri API Access Control

Impact Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent...

CVE-2024-35184

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...

CVE-2024-35184 paperless-ngx's remote user auth via header works even when disabling it for API

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...

CVE-2024-35184 paperless-ngx's remote user auth via header works even when disabling it for API

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...

CVE-2024-35184 paperless-ngx's remote user auth via header works even when disabling it for API

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...

CVE-2024-34706

Valtimo exposes the user JWT in the x-jwt-token header to api.form.io due to a Form.io component misconfiguration. An attacker with network access to api.form.io and the Valtimo API, and who can read the token TTL (default 5 minutes), can access personal data or perform actions on behalf of the l...

PT-2025-5683 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 15.2 through 16.9.7 GitLab EE versions 16.10 through 16.10.5 GitLab EE versions 16.11 through 16.11.2 Description: An issue has been discovered in GitLab EE, allowing the disclosure of updates to issues to a banned group...

CVE-2024-29208

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Affected Products: UniFi Connect EV Station Version 1.1.18 and earlier UniFi Connect EV Station Pro Version 1.1.18 and earlier UniFi Conne...

CVE-2024-29208

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Affected Products: UniFi Connect EV Station Version 1.1.18 and earlier UniFi Connect EV Station Pro Version 1.1.18 and earlier UniFi Conne...

CVE-2024-29208

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Affected Products: UniFi Connect EV Station Version 1.1.18 and earlier UniFi Connect EV Station Pro Version 1.1.18 and earlier UniFi Conne...

CVE-2024-29208

The CVE-2024-29208 vulnerability affects UniFi Connect EV Station (≤ v1.1.18), EV Station Pro (≤ v1.1.18), Display (≤ v1.9.324), and Display Cast (≤ v1.6.225). Root cause: unverified password change via API could allow a malicious actor with API access to change the system password without knowin...

PT-2024-22809 · Ubiquiti · Unifi Connect Ev Station Pro +3

Name of the Vulnerable Software and Affected Versions: UniFi Connect EV Station versions 1.1.18 and earlier UniFi Connect EV Station Pro versions 1.1.18 and earlier UniFi Connect Display versions 1.9.324 and earlier UniFi Connect Display Cast versions 1.6.225 and earlier Description: An Unverifie...