1998 matches found
CVE-2023-22813 Device API endpoint missing access controls on Western Digital Mobile and Web Apps
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...
CVE-2023-22813 Device API endpoint missing access controls on Western Digital Mobile and Web Apps
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...
HollerBox < 2.1.4 - Admin+ SQL Injection
The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database. PoC 1. Login as admin 2. Make sure HollerBox is installed and...
Stored XSS and CSP Bypass in KiwiTCMS
Description Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit...
GHSA-JWG4-QCGV-5WG6 SQL Injection in Admin Translations API
Impact SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any...
GHSA-XMG8-W465-MR56 SQL Injection in Translation Export API
Impact SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any...
GHSA-6MHM-GCPF-5GR8 SQL Injection in Admin Search Find API
Impact SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any...
CVE-2023-30852 Pimcore Arbitrary File Read in Admin JS CSS files
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...
CVE-2022-45456
Denial of service due to unauthenticated API endpoint. The following products are affected: Acronis Agent Windows, macOS, Linux before build 30161...
CVE-2022-45456
Denial of service due to unauthenticated API endpoint. The following products are affected: Acronis Agent Windows, macOS, Linux before build 30161...
CVE-2023-29443
Summary of CVE-2023-29443 from connected sources: Multiple ManageEngine products (ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus, AssetExplorer) are affected by an XML External Entity (XXE) vulnerability. A privileged SDAdmin can configure a malicious server to return malformed XML vi...
PT-2023-22591 · Ourphp · Ourphp
Name of the Vulnerable Software and Affected Versions: OURPHP versions 7.2.0 and earlier Description: The issue is related to Cross Site Scripting XSS and can be exploited via the "/client/manage/ourphp out.php" API endpoint. Recommendations: For OURPHP versions 7.2.0 and earlier, at the moment,...
PT-2023-13899 · Unknown · Pingfederate
Name of the Vulnerable Software and Affected Versions: PingFederate affected versions not specified Description: The issue concerns a Cross-Site Request Forgery CSRF vulnerability. It affects the "/pf/idprofile.ping" API endpoint, which is vulnerable to crafted GET requests. Recommendations: At t...
Modoboa Information Disclosure Vulnerability
modoboa is an email hosting and management platform for individual developers. An information disclosure vulnerability exists in modoboa versions prior to 2.1.0, which originates when /api/v2/parameters/core/ returns sensitive information without any authentication or authorization. An attacker c...
PT-2023-22473 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the UpdateWanParams interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R200 version R200V100R004, consider restricting...
PT-2023-22464 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the SetMobileAPInfoById interface at the "/goform/aspForm" API endpoint. This issue affects the H3C Magic R200 device. Recommendations: For H3C Magic...
PT-2023-22469 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the DelvsList interface at the "/goform/aspForm" API endpoint. This issue affects the H3C Magic R200 device. Recommendations: For H3C Magic R200 versio...
PT-2023-22467 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the UpdateMacClone interface at the "/goform/aspForm" API endpoint. This issue affects the specified version of the H3C Magic R200. Recommendations: Fo...
PT-2023-22470 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the SetAPWifiorLedInfoById interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R200 version R200V100R004, consider disablin...
PT-2023-22471 · H3C · H3C Magic R200
Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the DeltriggerList interface at the "/goform/aspForm" API endpoint. This issue affects the H3C Magic R200 device. Recommendations: For H3C Magic R200...