1998 matches found
CVE-2023-4856
A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint...
CVE-2023-4856
The CVE-2023-4856 entry concerns a format-string vulnerability in Lenovo SMM/SMM2 and FPC. An authenticated user could trigger execution of arbitrary commands via a specific API endpoint, due to improper handling of format strings in the affected components. The connected Red Hat, NVD, CVE lists ...
PT-2024-15530 · Mintplex · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm repository affected versions not specified Description: A mass assignment vulnerability exists in the "/api/invite/:code" endpoint, allowing unauthorized creation of high-privileged accounts. By intercepting and...
Remote Code Execution (RCE)
aim is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper user access restriction to the RunView object, allowing for the execution of arbitrary code via a crafted query parameter to the /api/runs/search/run/ endpoint...
PT-2024-24235
Name of the Vulnerable Software and Affected Versions: tiagorlampert CHAOS version 5.0.1 Description: A Cross Site Scripting XSS vulnerability exists in tiagorlampert CHAOS. A remote attacker may be able to escalate privileges via the sendCommandHandler function in the handler.go component. A...
CVE-2024-3283
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
CVE-2024-3025
mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can...
CVE-2024-2195
A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the runsearchapi function of the aim/web/api/runs/views.py file, where improper restricti...
CVE-2024-3283
CVE-2024-3283 concerns mintplex-labs/anything-llm. A mass-assignment flaw in the /admin/system-preferences endpoint lets users with the Manager role modify the multi_user_mode variable, enabling access to /api/system/enable-multi-user and the creation of a new admin user. The root cause is the en...
CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
PT-2024-24905 · Mintplex · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The...
CVE-2024-31978
A vulnerability has been identified in SINEC NMS All versions V2.0 SP2. Affected devices allow authenticated users to export monitoring data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download files from the file system. Under...
CVE-2024-31978
A vulnerability has been identified in SINEC NMS All versions V2.0 SP2. Affected devices allow authenticated users to export monitoring data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download files from the file system. Under...
CVE-2024-3508
A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...
PT-2024-24132 · Unknown · Computer Laboratory Management System
Name of the Vulnerable Software and Affected Versions: Computer Laboratory Management System version 1.0 Description: A stored cross-site scripting XSS issue allows attackers to execute arbitrary JavaScript code by including malicious payloads into remarks, borrower name, faculty department...
PT-2024-22373 · Web-Flash · Web-Flash
Name of the Vulnerable Software and Affected Versions: web-flash version 3.0 Description: An issue in web-flash allows attackers to reset passwords for arbitrary users via a crafted POST request to "/prod-api/user/resetPassword". Recommendations: For web-flash version 3.0, consider disabling the...
CVE-2023-4605
A valid authenticated Lenovo XClarity Administrator LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information...
CVE-2023-4605
The CVE-2023-4605 case describes an vulnerability in Lenovo XClarity Administrator (LXCA) where a valid authenticated LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information. Affected component: LXCA’s API surface exposing system event data. Root ca...
GHSA-W67V-PH4X-F48Q Mattermost Server Improper Access Control
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...