PT-2023-13466 · Unknown · Shop Beat Media Player

Name of the Vulnerable Software and Affected Versions: Shop Beat Media Player versions 2.5.95 through 3.2.57 Description: The issue allows bypassing 2FA via APIs, specifically for Controlpanel Lite. After logging in, it is possible to use the bearer token or jsession ID to access APIs without...

PT-2023-23574 · Unknown · Android Capture App +1

Name of the Vulnerable Software and Affected Versions: DHIS2 Core versions 2.35 through 2.36.12 DHIS2 Core versions 2.37 through 2.37.7 DHIS2 Core versions 2.38 through 2.38.1 DHIS2 Core versions 2.39 through 2.39.0 exclusive of 2.39.0, as 2.39.0 contains a fix Description: The issue arises when...

CVE-2023-30845 ESPv2 vulnerable to JWT authentication bypass via `X-HTTP-Method-Override` header

ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases...

Access Bypass

drupal is vulnerable to Access Bypass. The vulnerability exits in processinput parameter of FormBuilder.php because of the API access element not properly evaluate . which allows an attacker to access sensitive information in the system...

CVE-2023-28761 Missing Authentication check in SAP NetWeaver Enterprise Portal

In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity...

CVE-2023-28761 Missing Authentication check in SAP NetWeaver Enterprise Portal

In SAP NetWeaver Enterprise Portal - version 7.50, an unauthenticated attacker can attach to an open interface and make use of an open API to access a service which will enable them to access or modify server settings and data, leading to limited impact on confidentiality and integrity...

FortiSandbox / FortiDeceptor - Improper profile-based access control over APIs

An improper privilege management vulnerability CWE-269 in FortiSandbox & FortiDeceptor may allow a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests...

Privilege Escalation

github.com/minio/minio is vulnerable to Privilege Escalation. An attacker is able to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To achieve this, the attacker needs credentials with arn:aws:s3::: permission and...

Sysax Multi Server 6.95 - (Password) Denial of Service Exploit

Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service PoC Discovery by: Luis Martinez Vendor Homepage: https://www.sysax.com/ Software Link: https://www.sysax.com/download/sysaxservsetup.msi Tested Version: 6.95 Vulnerability Type: Denial of Service DoS Local Tested on OS: Windows...

CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

Code injection

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

UBUNTU-CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434

CVE-2023-28434 (MinIO) affects MinIO’s object storage framework. A security feature bypass allows an attacker with credentials for arn:aws:s3:::* and Console API access to bypass metadata bucket name checking during PostPolicyBucket and place objects into arbitrary buckets. This can impact confid...

PT-2023-4759 · Minio +2 · Minio +2

Name of the Vulnerable Software and Affected Versions: Minio versions prior to RELEASE.2023-03-20T20-16-18Z Description: The issue is related to the PostPolicyBucket component of the Minio Multi-Cloud Object Storage framework. An attacker can use crafted requests to bypass metadata bucket name...

CVE-2023-0223

An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...

CVE-2023-0223

An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...

PT-2023-19776 · Funadmin · Funadmin

Name of the Vulnerable Software and Affected Versions: Funadmin version 3.2.0 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the id parameter at the "/databases/table/list" API endpoint. Recommendations: For Funadmin version 3.2.0, consider restricting...

Wordfence Intelligence: Because Community Created Vulnerabilities Are Community Property

Last August, at Black Hat 2022 in Las Vegas, we launched Wordfence Intelligence, a product designed to provide large enterprise customers with rich IP threat data, malware signatures, malware hashes, and vulnerability data to help keep enterprise customers and networks secure. Our mission at...