GHSA-JR2M-29WJ-W9QC SQL Injection in FreeTAKServer-UI

FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser...

Sql injection

FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser...

CVE-2022-25506

CVE-2022-25506 concerns FreeTAKServer-UI v1.9.8 with a reported SQL injection vulnerability in the API endpoint /AuthenticateUser . Multiple connected sources confirm the flaw stems from improper neutralization of SQL commands against the SQLite3 database, enabling an attacker to access sensitive...

PT-2022-1802 · Terramaster · Terramaster Nas

Name of the Vulnerable Software and Affected Versions: TerraMaster NAS versions prior to 4.2.31 Description: The issue is related to the createRaid module in TerraMaster NAS devices, which allows for the injection of arbitrary commands. This can enable a remote attacker to execute arbitrary code...

PT-2022-15682 · Cybonet · Cybonet Pineapp Mail Relay

Name of the Vulnerable Software and Affected Versions: Cybonet PineApp Mail Relay affected versions not specified Description: The issue allows an attacker to send a request to the "/manage/mailpolicymtm/log/eml viewer/email.content.body.php" API endpoint with a filesystem path parameter set to a...

CVE-2022-21713 Exposure of Sensitive Information in Grafana

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. /teams/:teamId will allow an authenticated attacker to view unintended data by querying for the specific team ID,...

CVE-2022-21713

Grafana CVE-2022-21713 is an information-disclosure issue due to improper authorization handling on Teams API endpoints. Specifically, an authenticated user could access data via /teams/:teamId, enumerate teams via /teams/:search, or view team members via /teams/:teamId/members when editors_can_a...

PT-2022-15700 · Servisnet · Servisnet Tessa

Name of the Vulnerable Software and Affected Versions: Servisnet Tessa version 0.0.2 Description: An issue was discovered where authorization data is available via an unauthenticated request to the "/data-service/users/" API endpoint. Recommendations: For Servisnet Tessa version 0.0.2, consider...

CVE-2022-0218

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...

Design/Logic Flaw

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...

CVE-2022-0218 WP HTML Mail <= 3.0.9 Missing Authorization on REST-API Route

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...

Authenticated-RCE-CuppaCMS

Authenticated-RCE-CuppaCMS CuppaCMS is vulnerable to Authentic...

F5 NGINX Controller API Code Injection Vulnerability

The F5 NGINX Controller is a self-service, API-driven platform for managing NGINIX Plus that can be easily integrated into CI/CD workflows to accelerate application deployment and simplify application lifecycle management. user" or "admin" role access and authenticated attackers can use an...

WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting Vulnerability

WordPress Email Template Designer – WP HTML Mail plugin versions 3.0.9 and below suffer from a cross site scripting vulnerability. Exploit makes it possible for unauthenticated attackers to achieve complete site takeover. On December 23, 2021 the Wordfence Threat Intelligence team initiated the...

CVE-2021-33964

China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/setfirewalllevel which receives parameters by POST request, and the parameter firewalllevel has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands...

CVE-2021-24838

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature...

Open redirect

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature...

CVE-2021-24838 AnyComment < 0.3.5 - Open Redirect

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature...

CVE-2021-33963

China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/macaddrclone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands...