1998 matches found
CVE-2023-49112 Insecure Direct Object Reference in Kiuwan SAST
Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even...
CVE-2023-49112 Insecure Direct Object Reference in Kiuwan SAST
Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even...
CVE-2024-27141
Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity XXE vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. A...
CVE-2024-27141 Pre-authenticated Time-Based Blind XXE injection
Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity XXE vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. A...
CVE-2024-27141 Pre-authenticated Time-Based Blind XXE injection
Toshiba printers use XML communication for the API endpoint provided by the printer. For the endpoint, XML parsing library is used and it is vulnerable to a time-based blind XML External Entity XXE vulnerability. An attacker can DoS the printers by sending a HTTP request without authentication. A...
Remote Code Execution
langflow is vulnerable to Remote Code Execution. The vulnerability is due to untrusted users being able to reach the POST /api/v1/customcomponent endpoint and provide a Python script, allowing an attacker to execute arbitrary code...
PT-2024-27049
Name of the Vulnerable Software and Affected Versions: nukeviet versions 4.5 and earlier nukeviet-egov versions 1.2.02 and earlier Description: The issue is related to a Deserialization vulnerability, which can result in code execution. This can be achieved via the "/admin/extensions/download.php...
CVE-2024-37014
CVE-2024-37014 affects Langflow up to version 0.6.19. The vulnerability allows remote code execution when an untrusted user can access the endpoint POST /api/v1/custom_component and provide a Python script. The cited sources describe this vector and the resulting arbitrary code execution, with im...
PYSEC-2024-169
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false,...
CVE-2024-2035
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false,...
CVE-2024-2035
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false,...
CVE-2024-2035 Improper Authorization in zenml-io/zenml
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false,...
CVE-2024-1879
A Cross-Site Request Forgery CSRF vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a us...
CVE-2024-1879
A Cross-Site Request Forgery CSRF vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a us...
CVE-2024-1879 CSRF to RCE in significant-gravitas/autogpt
A Cross-Site Request Forgery CSRF vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a us...
CVE-2024-1879
CVE-2024-1879 affects significant-gravitas/autogpt (v0.5.0). Root cause: unprotected API endpoint that receives instructions, enabling CSRF to bypass protections and allow an attacker to induce a user in the local network to issue crafted requests that can lead to remote command execution. Compou...
PT-2024-18387 · Significant Gravitas · Autogpt
Name of the Vulnerable Software and Affected Versions: significant-gravitas/autogpt version v0.5.0 Description: A Cross-Site Request Forgery CSRF issue allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint...
PT-2024-18648 · Zenml Io · Zenml
Name of the Vulnerable Software and Affected Versions: zenml-io/zenml versions up to and including 0.55.3 Description: A race condition issue exists, allowing for the creation of multiple users with the same username when requests are sent in parallel. This is due to insufficient handling of...
PT-2024-35320 · Lunary Ai · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.5 Description: An improper access control issue exists due to a missing permission check in the "GET /v1/users/me/org" endpoint. The platform's role definitions restrict the Prompt Editor role to prompt management...
PT-2024-23319 · Mintplex · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: An improper authorization issue exists in the mintplex-labs/anything-llm application, specifically within the "/api/v/" endpoint and its sub-routes. This flaw allows...