PT-2024-4567

Name of the Vulnerable Software and Affected Versions: MASA CMS versions prior to 7.4.6 MASA CMS versions prior to 7.3.13 MASA CMS versions prior to 7.2.8 Description: MASA CMS, an Enterprise Content Management platform, contains a SQL injection vulnerability in the processAsyncObject method...

PT-2024-25754 · Unknown · Computer Laboratory Management System

Name of the Vulnerable Software and Affected Versions: Computer Laboratory Management System version 1.0 Description: The issue concerns a Cross Site Scripting vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters in th...

CVE-2024-34453

TwoNav 2.1.13 contains an SSRF vulnerability via the url paramater to index.php?c=api&method=readdata&type=connectivitytest which reaches /system/api.php...

CVE-2024-2667 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...

CVE-2024-2667

CVE-2024-2667 affects the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. The root cause is insufficient file validation in the REST API endpoint /wp-json/instawp-connect/v1/config, affecting all versions up to 0.1.0.22. This enables unauthenticated attackers to upload arbi...

WordPress plugin InstaWP Connect 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

GHSA-7GRX-F945-MJ96 Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation

Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding AP...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

CVE-2024-33309

The CVE-2024-33309 issue affects TVS Connet on Android v4.5.1 and iOS v5.0.0, per multiple sources (Red Hat, NVD/CNNVD listing). The root cause is an insecure API endpoint that could allow a remote attacker to obtain sensitive information. Documents consistently describe vendor app TVS Connet as ...

PT-2024-30533 · Unknown · Adive Framework

Name of the Vulnerable Software and Affected Versions: Adive Framework version 2.0.8 Description: The issue is related to insufficient encoding of user-controlled inputs, resulting in a persistent Cross-Site Scripting XSS vulnerability. This vulnerability can be exploited via the...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

TVS Motor Connect Mobile Application 安全漏洞

TVS Motor Connect Mobile Application is an application by TVS Motor India to experience the products and services of TVS Motor Company. A security vulnerability exists in TVS Motor Connect Mobile Application Android v.4.5.1 and iOS v.5.0.0, which stems from a vulnerability that allows a remote...

CVE-2024-33309

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint. NOTE: this is disputed as discussed in the msn-official/CVE-Evidence repository...

PT-2024-3428 · Linksys · Linksys E5600

Name of the Vulnerable Software and Affected Versions: Linksys E5600 version 1.1.0.26 Description: The issue is related to a command injection vulnerability via the ipurl parameter at the "/API/info" form endpoint. This vulnerability is associated with the lack of neutralization of special elemen...

CVE-2024-3508

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

CVE-2024-3508 Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

CVE-2024-3508

CVE-2024-3508 concerns Bombastic: authenticated users can upload compressed (bzip2 or zstd) SBOMs via the API, with verification that requires decompression of the uploaded file first. The vulnerability centers on the upload endpoint and its handling of compressed content, enabling a partial impa...

SQL Injection

umbraco is vulnerable to SQL injection. The vulnerability is due to insufficient input validation in API endpoint handling, that allows attackers to inject SQL code through modified requests...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to a particular API endpoint modification by authenticated backoffice users, which allows the inclusion and execution of arbitrary SQL commands without proper sanitization or validation. An attacker can manipulate...

Umbraco Workflow's Backoffice users can execute arbitrary SQL

Impact Backoffice users can execute arbitrary SQL. Explanation of the vulnerability A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server. Affected versions All versions Patches Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2...