147 matches found
SUSE CVE-2023-22644
A user can reverse engineer the JWT token JSON Web Token used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE...
U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions
Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...
CVE-2022-45073
Cross-Site Request Forgery CSRF vulnerability in REST API Authentication plugin = 2.4.0 on WordPress...
CVE-2022-45073
Cross-Site Request Forgery CSRF vulnerability in REST API Authentication plugin = 2.4.0 on WordPress...
CVE-2022-45073
CVE-2022-45073 describes a CSRF vulnerability in the WordPress REST API Authentication plugin (versions ≤ 2.4.0). The issue arises from the plugin not performing CSRF checks when updating settings, potentially allowing an authenticated attacker to trigger unintended settings changes through forge...
WordPress plugin REST API Authentication 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...
CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
Apache Airflow < 1.10.11 Multiple Vulnerabilities
The version of Apache Airflow is prior to 1.10.11. It is, therefore, affected by multiple vulnerabilities, including the following: - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it i...
The top 5 most routinely exploited vulnerabilities of 2021
A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States CISA, NSA, and FBI, Australia ACSC, Canada CCCS, New Zealand NZ NCSC, and the United Kingdom NCSC-UK has detailed the top 15 Common Vulnerabilities and Exposures CVEs routinely exploited by malicious cybe...
CVE-2021-45900
Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOHAUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let ...
CVE-2021-45900
Vivoh Webinar Manager prior to 3.6.3.0 has an improper API authentication flaw. After login to the administration configuration web portlet, a VIVOH_AUTH cookie is issued to identify users, and certain APIs can be called without proper authentication, enabling an attacker to impersonate a victim ...
CVE-2022-0732
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...
Design/Logic Flaw
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...
PT-2022-13397 · 1Byte · Copy9 +8
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an Insecure Direct Object...
TIBCO Security Advisory: February 15, 2022 - TIBCO AuditSafe -2022-22770
TIBCO AuditSafe API Authentication vulnerability Original release date: February 15, 2022 Lastrevised: --- CVE-2022-22770 Source: TIBCOSoftware Inc. Products Affected TIBCO AuditSafe versions 1.1.0 and below The following component is affected: Web Server Description The component listed above...
Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs
Over the weekend of November 6, 2021, Rapid7’s Incident Response IR and Managed Detection and Response MDR teams began seeing opportunistic exploitation of two unrelated CVEs: CVE-2021-40539, a REST API authentication bypass in Zoho’s ManageEngine ADSelfService Plus product that Rapid7 has...
CVE-2021-40870
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. Recent assessments: JoyGhoshs at October 09, 2021 6:33am UTC reported:...
Securing Containers and Kubernetes-Orchestrated Environments
In a recent Black Hat webcast, “Securing Containers and Kubernetes-Orchestrated Environments,” sponsored by VMware Carbon Black, guest speakers Sheila A. Berta, Offensive Security Specialist, Dreamlab Technologies and Haim Helman, CTO, VMware Carbon Black App Security, VMware Security Business...
[SECURITY] Fedora 32 Update: coturn-4.5.2-1.fc32
The Coturn TURN Server is a VoIP media traffic NAT traversal server and gat eway. It can be used as a general-purpose network traffic TURN server/gateway, to o. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relayin...
CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds...