PT-2022-23579 · Unknown · Library Management System

Name of the Vulnerable Software and Affected Versions: Library Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the id parameter at the "/admin/changestock.php" API endpoint. Recommendations: For Library...

PT-2022-23909 · Tenda · Tenda Ax12

Name of the Vulnerable Software and Affected Versions: Tenda AX12 version V22.03.01.21 CN Description: The issue is related to a Buffer Overflow that occurs in the sub 42FDE4 function. This function handles POST requests under the "/goform/SetIpMacBind" API endpoint, which is triggered by the sub...

PT-2022-23796 · Totolink · Totolink A7000R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A7000R version 9.1.0u.6115 B20201022 Description: A command injection issue was found in the setting/setTracerouteCfg API endpoint, specifically via the command parameter. Recommendations: For version 9.1.0u.6115 B20201022, as a...

PT-2022-16224 · Ece · Ece

Name of the Vulnerable Software and Affected Versions: ECE versions prior to 3.4.0 Description: A flaw in ECE might lead to the disclosure of sensitive information, such as user passwords and Elasticsearch keystore settings values, in logs like the audit log or deployment logs in the Logging and...

PT-2022-24084 · Tenda · Tenda Ac1206

Name of the Vulnerable Software and Affected Versions: Tenda AC1206 version 15.03.06.23 Description: A stack overflow issue was discovered via the page parameter in the fromDhcpListClient function. Recommendations: For Tenda AC1206 version 15.03.06.23, consider disabling the fromDhcpListClient...

PT-2022-8644 · Zoho · Manageengine Analytics Plus

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine Analytics Plus versions prior to 4350 Description: A Directory Traversal issue exists due to the ZDBQAREFSUBDIR parameter in the "/zropusermgmt" API endpoint. This allows remote attackers to potentially run arbitrary code...

PT-2022-22901 · Tenda · Tenda W6

Name of the Vulnerable Software and Affected Versions: Tenda W6 version 1.0.0.94122 Description: A stack overflow issue exists in the "/goform/wifiSSIDget" API endpoint, which can be exploited by attackers to cause a denial of service DoS via the index parameter. Recommendations: For Tenda W6...

PT-2022-22204 · Unknown · Barangay Management System

Name of the Vulnerable Software and Affected Versions: Barangay Management System version 1.0 Description: A SQL injection issue was found in the Barangay Management System. The vulnerability can be exploited via the hidden id parameter at the "/pages/permit/permit.php" API endpoint...

CVE-2022-36129

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure...

CVE-2022-36129

HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure...

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable(Server-Side Request Forgery vulnerability) when requesting resource over an API endpoint to verify URls from target application server.(CVE-2021-20421)

Summary Summary guidance: - There is Server-Side Request Forgery vulnerability when requesting resource over an API endpoint to verify URLs from target application server. Vulnerability Details CVEID: CVE-2021-20421 DESCRIPTION: IBM Jazz Foundation is vulnerable to server-side request forgery SSR...

PT-2022-3878 · Robustel · Robustel R1510

Name of the Vulnerable Software and Affected Versions: Robustel R1510 version 3.3.0 Description: The issue is related to command injection vulnerabilities in the web server action endpoints functionalities. A specially-crafted network request can lead to arbitrary command execution. The...

PT-2022-3879 · Robustel · Robustel R1510

Name of the Vulnerable Software and Affected Versions: Robustel R1510 version 3.3.0 Description: The issue is related to command injection vulnerabilities in the web server action endpoints functionalities. A specially-crafted network request can lead to arbitrary command execution. The...

CVE-2022-24848

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

GHSA-MG2C-RC36-P594 Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter...

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter...

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event...