CVE-2022-38184 There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1

There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs...

PT-2022-20208 · Ibm · Ibm Robotic Process Automation

Name of the Vulnerable Software and Affected Versions: IBM Robotic Process Automation versions 21.0.0 through 21.0.2 Description: The issue allows a privileged user to elevate their privilege to platform administrator through manipulation of APIs. Recommendations: For versions 21.0.0 through...

GHSA-7GGC-5R84-XF54 Mattermost users could access some sensitive information via API call

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs...

CVE-2022-2401 Team members could access sensitive information of other users via an API call

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs...

CVE-2022-2401

Mattermost CVE-2022-2401 affects Mattermost Server (Mattermost) up to version 6.7.0. The issue is an unrestricted information disclosure where team members can access some sensitive user information by directly calling APIs. The related records consistently cite the affected product/version and t...

FreeBSD : Gitlab -- multiple vulnerabilities (d1b35142-ff4a-11ec-8be3-001b217b3468)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the d1b35142-ff4a-11ec-8be3-001b217b3468 advisory. - A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions...

Documents in trash accessible by Viewer role

Description Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files. Proof of Concept 1. Give a user Viewer role. 2. Visit https://your.getoutline.com/trash or...

CVE-2022-31081 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in HTTP::Daemon

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served ...

CVE-2022-1517

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this...

CVE-2022-1517

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this...

CVE-2022-1517

Illumina Local Run Manager (LRM) software, affected versions 1.3–3.1, contains CVE-2022-1517 (execution with unnecessary privileges). An unauthenticated attacker could upload and execute code remotely at the OS level, potentially tampering with settings, software, data, or APIs and interacting ov...

CVE-2022-1708

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a...

UBUNTU-CVE-2022-30034

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes...

Mattermost Server server restarts may provide attackers with API access

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access...

GHSA-HXXJ-8PHW-74VW Mattermost Server server restarts may provide attackers with API access

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access...

Liferay Portal and Liferay DXP Vulnerable to Arbitrary Code Execution

In Liferay Portal before 7.3.2 and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 18, and 7.2 before fix pack 6, the template API does not restrict user access to sensitive objects, which allows remote authenticated users to execute arbitrary code via crafted FreeMarker and Velocity...

Openstack Magnum Unsafe Credential Handling

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

GHSA-793V-R35J-9RP9 Openstack Magnum Unsafe Credential Handling

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

PT-2022-17170

Name of the Vulnerable Software and Affected Versions Bonita Web version 2021.2 Description Bonita Web 2021.2 is affected by an authentication/authorization bypass due to an overly permissive exclusion pattern within the RestAPIAuthorizationFilter. Appending ;i18ntranslation or /../i18ntranslatio...

CVE-2022-29178 Incorrect Default Permissions in Cilium

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 100...