Mars: CSRF to delete a pet

The /kisallataim/ANIMALID/delete API endpoint at myroyalcanin.hu was found to be vulnerable to Cross-Site Request Forgery CSRF attacks. This vulnerability could have been exploited to delete a user's pet from their account without their knowledge or consent...

PT-2023-21411 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue allows an authenticated attacker to edit an arbitrary channel post when creating a playbook run via the "/dialog API" endpoint. This is due to Mattermost's failure to validate...

CVE-2023-34747

File upload vulnerability in ujcms 6.0.2 via /api/backend/core/web-file-upload/upload...

PT-2023-4271 · Totolink · Totolink A7100Ru

Name of the Vulnerable Software and Affected Versions: TOTOLink A7100RU version V7.4cu.2313 B20191024 Description: The issue is related to the lack of input data sanitization in the staticGw function of the TOTOLink A7100RU router's firmware. This allows a remote attacker to exploit the...

PT-2023-18812 · Vcita · Online Booking & Scheduling Calendar For Wordpress

Name of the Vulnerable Software and Affected Versions: The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.2.10 Description: The issue allows unauthorized modification of data via the "/wp-json/vcita-wordpress/v1/actions/auth"...

CVE-2023-28345

An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to t...

PT-2023-24425 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the SetMobileAPInfoById interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, consider...

PT-2023-24418 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the ipqos lanip dellist interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, as a...

PT-2023-24421 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the "UpdateMacClone" interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, consider...

CVE-2023-28345

CVE-2023-28345 affects Faronics Insight 10.0.19045 on Windows, where the Insight Teacher Console exposes the teacher’s password in cleartext via a localhost API endpoint. An attacker with physical access can open a browser, access the endpoint, and obtain the password, enabling login to the Teach...

CVE-2023-28345

An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to t...

Cross-site Scripting (XSS)

SSCMS is vulnerable to Cross-site Scripting XSS. The vulnerability exists because of the improper sanitization in the ajaxDivId argument in the Submit function of ActionsSearchController.Submit.cs, which allows an attacker to inject and execute malicious javascript through the...

PT-2023-24495 · Netbox · Netbox

Name of the Vulnerable Software and Affected Versions: Netbox version 3.5.1 Description: A stored cross-site scripting XSS issue exists in the Create Site Groups function, specifically at the /dcim/site-groups/ API endpoint, allowing attackers to execute arbitrary web scripts or HTML by injecting...

eBankIT 6 Arbitrary OTP Generation

CVE-2023-33291 Description In eBankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any email address or phone number without validation. ------------------------------------------ Additional Information The cookies in the...

distribution catalog API endpoint can lead to OOM via malicious user input

Impact Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/catalog API endpoint request. Patches Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code...

GHSA-HQXW-F8MX-CPMW distribution catalog API endpoint can lead to OOM via malicious user input

Impact Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/catalog API endpoint request. Patches Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code...

Information disclosure

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...

CVE-2023-31478

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...

PT-2023-23357 · Gl.Inet · Gl.Inet

Name of the Vulnerable Software and Affected Versions: GL.iNet devices versions prior to 3.216 Description: An issue was discovered that reveals information about the Wi-Fi configuration, including the SSID and key, through an API endpoint. Recommendations: For versions prior to 3.216, update to...

CVE-2023-31478

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...