1995 matches found
CVE-2024-6985
CVE-2024-6985 affects parisneo/lollms-webui’s api open_personality_folder endpoint. The vulnerability allows path traversal to read files within the personality_folder due to improper sanitization of the personality_folder parameter, even when sanitize_path is set. The issue is documented across ...
open-webui Insecure Direct Object Reference (IDOR) vulnerability
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
GHSA-XCVC-5HGV-PHQG open-webui Insecure Direct Object Reference (IDOR) vulnerability
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
CVE-2024-7041
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
CVE-2024-7041 IDOR in open-webui/open-webui
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
CVE-2024-7041 IDOR in open-webui/open-webui
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
PT-2024-38043 · Unknown · Open-Webui
Name of the Vulnerable Software and Affected Versions: open-webui version v0.3.8 Description: The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed b...
CVE-2024-47654
This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...
CVE-2024-47654
This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...
CVE-2024-47654 No Rate Limiting vulnerability
This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...
CVE-2024-47654
The issue affects Shilpi Client Dashboard (versions prior to 9.7.0). Root cause: lack of rate limiting and CAPTCHA protection for OTP requests in certain API endpoints, enabling unauthenticated attackers to flood OTP requests and cause an OTP bombing on the target system. Affected software and ve...
CVE-2024-47654 No Rate Limiting vulnerability
This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...
CVE-2024-47651
This vulnerability exists in Shilpi Client Dashboard due to improper handling of multiple parameters in the API endpoint. An authenticated remote attacker could exploit this vulnerability by including multiple “userid” parameters in the API request body leading to unauthorized access of sensitive...
CVE-2024-47651
CVE-2024-47651 affects Shilpi Client Dashboard. The issue is improper handling of multiple parameters in the API endpoint, allowing an authenticated remote attacker to include multiple distinct userid parameters in the request body to gain unauthorized access to other users’ information. Descript...
CVE-2024-47911
In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands...
Open Redirect
scoutbrowser is vulnerable to Open Redirect. The vulnerability is due to inadequate input validation and sanitization in the /login API endpoint, which does not properly handle the next parameter, and lack of scheme validation, which allows for both open redirects and HTTPS downgrade attacks...
CVE-2024-34535
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...
PT-2024-25955 · Mastodon · Mastodon
Name of the Vulnerable Software and Affected Versions: Mastodon version 4.1.6 Description: The issue allows API endpoint rate limiting to be bypassed by setting a crafted HTTP request header. Recommendations: For Mastodon version 4.1.6, as a temporary workaround, consider restricting access to AP...
CVE-2024-34535
CVE-2024-34535 affects Mastodon 4.1.6. The issue allows bypassing API endpoint rate limiting by sending a crafted HTTP request header. Impact is described as potential exposure of higher-level access due to rate-limiting bypass, with CVSSv3.1 indicating Network attack, High confidentiality impact...
CVE-2024-20477
A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to upload or delete files on an affected device. This vulnerability exists because of missing authorization controls on the affected REST API endpoint. An attacker could...