mysql: C API unspecified vulnerability (CPU Jan 2020)

Vulnerability in the MySQL Client product of Oracle MySQL component: C API. Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise...

mysql: C API unspecified vulnerability (CPU Apr 2020)

Vulnerability in the MySQL Client product of Oracle MySQL component: C API. Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise...

WHO COVID-19 Mobile App: Improper Input Validation on User's Location on PUT /WhoService/putLocation Could Affect Availability/Falsify Users

Summary: Note: I noticed that that the team has fixed issues like an XSS that's caused only from a header value typically OOS since it's not directly exploitable https://github.com/WorldHealthOrganization/app/pull/855, so in the spirit of this I'm also reporting another "good-to-fix" issue. On th...

CVE-2020-27147

The REST API component of TIBCO Software Inc.'s TIBCO PartnerExpress contains a vulnerability that theoretically allows an unauthenticated attacker with network access to obtain an authenticated login URL for the affected system via a REST API. Affected releases are TIBCO Software Inc.'s TIBCO...

M/Monit 3.7.4 - Password Disclosure

Title: M/Monit 3.7.4 - Password Disclosure Author: Dolev Farhi Date: 2020-07-09 Vendor Homepage: https://mmonit.com/ Version : 3.7.4 import sys import requests url = 'http://youriphere:8080' username = 'test' password = 'test123' sess = requests.Session sess.gethost def login: print'Attempting to...

CVE-2020-3392

A vulnerability in the API of Cisco IoT Field Network Director FND could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not properly authenticate API calls. An attacker could exploit this...

Information Exposure

Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Information Exposure. An attacker can query the API v2 Order Status endpoint with an empty string passed as an Order token. Remediation Upgrade spreeapi to version 3.7.13, 4.0.5, 4.1.12 or higher. Referenc...

Authorization bypass in Spree

Impact The perpetrator could query the API v2 Order Status https://guides.spreecommerce.org/api/v2/storefronttag/Order-Status endpoint with an empty string passed as an Order token Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree 3.7 are not...

Design/Logic Flaw

A vulnerability in the video endpoint API xAPI of Cisco TelePresence Collaboration Endpoint CE Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected device. The vulnerability is due to improper storage of sensitive information on an affected...

CVE-2020-27128 Cisco SD-WAN vManage Software Arbitrary File Creation Vulnerability

A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to write arbitrary files to an affected system. The vulnerability is due to improper validation of requests to APIs. An attacker could exploit this vulnerability by...

PT-2020-4645 · Cisco · Cisco Sd-Wan Vmanage

Name of the Vulnerable Software and Affected Versions: Cisco SD-WAN vManage Software affected versions not specified Description: The issue is related to improper validation of directory traversal character sequences within requests to application programmatic interfaces APIs. This could allow an...

CVE-2020-16256

The API on Winston 1.5.4 devices is vulnerable to CSRF...

Cross site request forgery (csrf)

The API on Winston 1.5.4 devices is vulnerable to CSRF...

api.stream-radio.com Cross Site Scripting vulnerability OBB-1421523

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

Cisco Industrial Network Director Denial of Service Vulnerability

Cisco Industrial Network Director IND is an industrial automation management system from Cisco. The system achieves automation management by visualizing the industrial Ethernet infrastructure. A denial of service vulnerability exists in the management REST API in Cisco Industrial Network Director...

The vulnerability of the API subsystem of the Cisco Meeting Server platform allows a hacker to obtain server credentials for conducting audio/video calls and packet forwarding.

The vulnerability of the API subsystem of the Cisco Meeting Server platform relates to insufficient mechanisms for protecting the server’s credentials. This vulnerability allows a malicious actor to obtain the server’s credentials, enabling them to conduct audio/video calls and packet forwarding...

Code injection

u'User Process can potentially corrupt kernel virtual page by passing a crafted page in API' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice &...

api.news18.com Cross Site Scripting vulnerability OBB-1311076

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

Shopify: User sensitive information disclosure

1、open shopify指南 Applets 2、click 个人中心 3、click 编辑资料 微信图片20200905123248.png 4、https://api-wechat.shopify.cn/api/sp/customer/id 1.png 5、Modify the ID value to traverse the user information Impact User sensitive information disclosur...

Cloud firewall management API SNAFU put 500k SonicWall customers at risk

TL;DR I found an IDOR in SonicWalls cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account to exploit the issue, from the public internet Can be used to change firewall rules, or add rogue VPN users, for example...