PT-2019-7144 · Red Hat · Foreman

Name of the Vulnerable Software and Affected Versions: foreman versions 1.x.x before 1.15.6 Description: The issue is related to improper enforcement of access controls on certain resources in foreman, within Satellite 6. An attacker with access to the API and knowledge of the resource name can...

Flexible and Controlled Openness: Carbon Black’s API Approach

At Carbon Black, we believe that making our customers successful requires both an open platform and the control they need to build endpoint protection into the ideal security processes they’ve designed for their specific organization. From maintaining relationships with our 100+ integration...

Mozilla: Same-origin policy treats all files in a directory as having the same-origin

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and...

Information Disclosure

sonarqube is vulnerable to information disclosure. Improperly configured access controls of the API allows an attacker to discover valid user account logins...

DEBIAN-CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

UBUNTU-CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

Design/Logic Flaw

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

CVE-2016-7404

CVE-2016-7404 affects OpenStack Magnum where credentials are passed into Heat templates for instance creation. The underlying issue is that these credentials, intended for SSL certificate retrieval, can be exploited to perform any API operation the user is authorized to perform, enabling full API...

CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

Uber: [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo

A username and certificate was found that allows API access to Phabricator on code.uberinternal.com. This API access could give away source cod and the private phabricator instance of Uber...

Information Disclosure

Pulp is vulnerable to information disclosure. An attacker with API access can view sensitive credentials when triggering a task via distributor/importer...

CVE-2019-12277

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, due to missing checks for .. in a pathname. This creates an unrestricted API exposure that could allow an unauthenticated remote attacker to perform unauthorized actions via the API. The issue is patched in the 2.4 branch, with 2.5....

TIBCO Security Advisory: April 24, 2019 - TIBCO BPM Enterprise -2019-11203

TIBCO BPM Enterprise Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities Original release date: April24, 2019 Last revised: CVE-2019-11203 Source: TIBCO Software Inc. TIBCO ActiveMatrix BPM Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities Original release date:...

CVE-2019-3916

Information disclosure vulnerability in Verizon Fios Quantum Gateway G1100 firmware version 02.01.00.05 allows an remote, unauthenticated attacker to retrieve the value of the password salt by simply requesting an API URL in a web browser e.g. /api...

CVE-2018-4399

CVE-2018-4399 is a kernel/privilege-related issue affecting Apple platforms prior to the patches in iOS 12, macOS Mojave 10.14, tvOS 12, and watchOS 5. The Red Hat advisory confirms an access issue with privileged API calls and notes affected versions before those updates. The Apple advisories HT...

CVE-2019-17558

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially...