1080 matches found
CVE-2024-8256
In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 excluding and TSWOS devices running on versions 1.0 to 1.3 excluding, due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources v...
CVE-2024-8256
CVE-2024-8256 affects Teltonika Networks RUTOS and TSWOS devices due to incorrect permission handling in the API, enabling a lower-privileged user with default permissions to access critical device resources. Affected: RUTOS versions 7.0–7.7/7.8 exclusion (per PT-2024-38894 and CVE docs) and TSWO...
CVE-2024-8256 Incorrect Permission Assignment in RutOS based routers and TSWOS based managed switches
In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 excluding and TSWOS devices running on versions 1.0 to 1.3 excluding, due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources v...
PT-2024-38894 · Teltonika Networks · Tswos +1
Name of the Vulnerable Software and Affected Versions: Teltonika Networks RUTOS versions 7.0 through 7.7 Teltonika Networks TSWOS versions 1.0 through 1.2 Description: A vulnerability exists due to incorrect permission handling, allowing a lower privileged user with default permissions to access...
CVE-2024-53949
Improper Authorization vulnerability in Apache Superset when FABADDSECURITYAPI is enabled disabled by default. Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue...
CVE-2024-53949
Improper Authorization vulnerability in Apache Superset when FABADDSECURITYAPI is enabled disabled by default. Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue...
CVE-2024-53949
CVE-2024-53949 describes an improper authorization vulnerability in Apache Superset that occurs when the FAB_ADD_SECURITY_API is enabled (default is disabled). The issue allows lower-privilege users to use the security API to perform actions that should be restricted. Affected versions are 2.0.0 ...
CVE-2023-47871
Missing Authorization vulnerability in IT Path Solutions Contact Form to Any API allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form to Any API: from n/a through 1.1.6...
Exploit for CVE-2024-42327
PoC for CVE-2024-42327 / ZBX-25623 A non-admin user account on...
CVE-2024-50357
FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial factory default configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server GUI or Web authentication ...
CVE-2024-42327
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is availabl...
CVE-2024-42327
CVE-2024-42327 is an authenticated SQL injection in Zabbix via the user.get path (CUser.addRelatedObjects) exploitable by non-admin/API-access users. Public PoCs show time-based SQLi leakage of user data and, in some variants, admin API tokens and RCE sequences, enabling privilege escalation to Z...
CVE-2024-42327 SQL injection in user.get API
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is availabl...
CVE-2024-42327
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is availabl...
DEBIAN-CVE-2024-36467
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-36467
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-36467
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-36467
CVE-2024-36467 (Zabbix) : An authenticated user with API access can elevate their own privileges by adding themselves to groups (e.g., Zabbix administrators) via user.update, bypassing group authorization for non-disabled GUI groups. Technical roots described in the connected sources show that us...
CVE-2024-36467
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-36467 Authentication privilege escalation via user groups due to missing authorization checks
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...