CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54766

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54768

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information...

CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54765

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

PT-2025-31218 · Unknown · Puneethreddyhc Online-Shopping-System-Advanced

Name of the Vulnerable Software and Affected Versions: PuneethReddyHC Online Shopping System Advanced version 1.0 Description: A SQL Injection issue exists due to improper sanitization of user-supplied input in the keyword POST parameter of the /action.php API endpoint. Recommendations: Apply inp...

CVE-2025-54768 KL-001-2025-015: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information...

CVE-2025-54768

CVE-2025-54768 affects Xorux LPAR2RRD (versions 8.04 and prior). An API endpoint intended for web application administrators is accessible to lower-level read-only users, enabling download of appliance configuration logs and exposure of sensitive information (e.g., password hashes). The vulnerabi...

CVE-2025-54765

CVE-2025-54765 concerns XorMon-NG from Xorux. Affected: version 1.8 and earlier. An API endpoint that should be restricted to web app administrators is accessible to lower-level read-only users, enabling import of appliance configuration and potentially granting administrative privileges. The vul...

CVE-2025-54765 KL-001-2025-013: Xorux XorMon-NG Web Application Privilege Escalation to Administrator

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include...

CVE-2025-54766 KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

CVE-2025-54766

Xorux XorMon-NG has a privilege-API endpoint that should be admin-only but is accessible to lower-level read-only users, enabling export of the appliance configuration. Technical description from KoreLogic (KL-001-2025-012) and corroborated by multiple sources shows affected Version: 1.8 and prio...

CVE-2025-54766 KL-001-2025-012: Xorux XorMon-NG Read Only User Export Device Configuration Exposing Sensitive Information

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

PT-2025-31156 · Appliance · Appliance

Name of the Vulnerable Software and Affected Versions: affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized access to appliance configuration import functionality, potentiall...

PT-2025-31155 · Xorux · Xormon-Ng

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized export of the appliance...

PT-2025-31158 · Xorux · Lpar2Rrd

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: An API endpoint intended for web application administrators is accessible to lower-level read-only users. This allows unauthorized download of appliance...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the q URL parameter in the /api/v2.0/users endpoint. An attacker can retrieve sensitive password hash and salt values by abusing the filtering capability to extract this information character by character. Note:...

CVE-2025-30086

CVE-2025-30086 affects CNCF Harbor: Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 are vulnerable to an ORM leak via the /api/v2.0/users endpoint. The q URL parameter lets an administrator filter by any column and abuse password=~ to leak a user’s password hash and salt character by charact...

PT-2025-30656 · WordPress · Ai Engine

Name of the Vulnerable Software and Affected Versions: AI Engine plugin for WordPress versions through 2.9.4 Description: The AI Engine plugin for WordPress is susceptible to sensitive information exposure. The simpleTranscribeAudio API endpoint does not properly restrict URL schemes before...

PT-2025-30670 · Tenda · Tenda Ac8V4

Name of the Vulnerable Software and Affected Versions: Tenda AC8V4 version V16.03.34.06 Description: The Tenda AC8V4 device contains a stack overflow issue at the /goform/SetSysTimeCfg API endpoint. Manipulation of the timeZone and timeType parameters leads to a stack-based buffer overflow...