1995 matches found
CVE-2024-8185
A flaw was found in HashiCorp Vault. Clusters using Vault’s Integrated Storage backend are vulnerable to a denial of service DoS attack through memory exhaustion through a Raft cluster join API endpoint. This flaw allows an attacker to send a large volume of requests to the endpoint, which may...
GHSA-G233-2P4R-3Q7V Hashicorp Vault vulnerable to denial of service through memory exhaustion
Vault Community and Vault Enterprise “Vault” clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service DoS attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault...
CVE-2024-8185
Vault Community and Vault Enterprise “Vault” clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service DoS attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vaul...
CVE-2024-8185
CVE-2024-8185 affects Vault Community/Enterprise when using Integrated Storage with Raft; memory exhaustion via the cluster-join API can lead to DoS or Vault process crash. Likely impact is loss of service due to memory pressure. Fixes are available: Vault Community 1.18.1 and Vault Enterprise 1....
CVE-2024-10008 Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Missing Authorization to Privilege Escalation
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes ...
PT-2024-15969 · WordPress · Masteriyo - Lms
Name of the Vulnerable Software and Affected Versions: Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress versions up to, and including, 1.13.3 Description: The issue is related to missing authorization checks on the "/wp-json/masteriyo/v1/users/$id" REST API...
CVE-2024-49359
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...
CVE-2024-49358
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...
CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...
CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...
CVE-2024-48932
ZimaOS (a CasaOS fork) before version 1.5.0 exposes usernames via unauthenticated access to /v1/users/name (http:///v1/users/name). The root cause is an access control flaw that allows information disclosure and potential for username enumeration, enabling subsequent phishing or brute-force attac...
CVE-2024-48931 ZimaOS Arbitrary File Read via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...
CVE-2024-48931
ZimaOS (fork of CasaOS) versions 1.2.4 and earlier are affected by an arbitrary file read vulnerability in the API endpoint /v3/file?token=&files=, caused by improper input validation on the files parameter. Authenticated users can manipulate the files value to access sensitive files outside the ...
CVE-2024-48931 ZimaOS Arbitrary File Read via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...
PT-2024-33159 · Unknown · Online Clinic Management System
Name of the Vulnerable Software and Affected Versions: Online Clinic Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the id parameter at the "/success/editp.php?action=edit" API endpoint. Recommendations: Fo...
CVE-2024-10099 Stored XSS in comfyanonymous/comfyui
A stored cross-site scripting XSS vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the /api/upload/image endpoint. The payload is executed when the file is viewe...
CVE-2024-10099 Stored XSS in comfyanonymous/comfyui
A stored cross-site scripting XSS vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the /api/upload/image endpoint. The payload is executed when the file is viewe...
CVE-2023-32193
A vulnerability has been identified in which unauthenticated cross-site scripting XSS in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely...
PT-2024-32025 · Jepaas · Jepaas
Name of the Vulnerable Software and Affected Versions: Jepaas version 7.2.8 Description: A SQL injection vulnerability was discovered in Jepaas via the orderSQL parameter at the "/homePortal/loadUserMsg" API endpoint. This issue allows for potential SQL injection attacks. Recommendations: For...
PYSEC-2024-122
A path traversal vulnerability exists in the api openpersonalityfolder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personalityfolder on the victim's computer, even though sanitizepath is set. The issue arises due to improper sanitization of t...