CVE-2022-34770

Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoD...

CVE-2022-25237

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API...

Privilege escalation in easyappointments

The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...

GHSA-7F62-4887-CFV5 Privilege escalation in easyappointments

The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...

Cisco SD-WAN vManage Software Information Disclosure Vulnerability (CNVD-2022-46480)

Cisco SD-WAN vManage Software is a management software for SD-WAN Software Defined Wide Area Network solutions from Cisco, U.S. An information disclosure vulnerability exists in Cisco SD-WAN vManage Software, which stems from insufficient checks of API authorization to the underlying operating...

API Privilege Escalation

Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...

CVE-2022-20747 Cisco SD-WAN vManage Software Information Disclosure Vulnerability

A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker cou...

CVE-2022-20747

The CVE-2022-20747 concern is Cisco SD-WAN vManage Software Information Disclosure via the History API. Root cause: insufficient API authorization checks on the underlying OS, enabling an authenticated, lower-privileged user to access sensitive information. Affected component: History API in Cisc...

Cisco SD-WAN vManage Software Information Disclosure (cisco-sa-sdwan-vman-infodis-73sHJNEq)

According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerabili...

Design/Logic Flaw

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...

Cisco Connected Mobile Experiences User Enumeration Vulnerability

Cisco Connected Mobile Experiences CMX is an intelligent Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics to consumers' mobile devices. A user enumeration vulnerability exists in API authorization for Cisco Connected Mobile Experiences...

CVE-2021-1143

A vulnerability in Cisco Connected Mobile Experiences CMX API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this...

Design/Logic Flaw

A vulnerability in Cisco Connected Mobile Experiences CMX API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this...

Cisco Connected Mobile Experiences (CMX) 访问控制错误漏洞

Cisco Connected Mobile Experiences CMX is an intelligent Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics to consumers' mobile devices. A user enumeration vulnerability exists in API authorization for Cisco Connected Mobile Experiences...

CVE-2020-13284

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...

UBUNTU-CVE-2020-13284

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...

CVE-2020-13284

Removed by vendor...

CVE-2020-13284

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...

CVE-2017-1500

A Reflected Cross Site Scripting XSS vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parameter is "scope"; if you set as its value a "realm" not defined in authenticationConfig.xml, you get a...

FoosunCMS Sql Injection Vulnerability

API/APIResponse.asp 变量username未经过滤传值，带入sql执行，导致注入产生。 关键代码： If CheckPost Then Select Case Act Case “checkname” ‘触发注入 Checkname CheckPost函数原型在行73-96，username由此获取值，代码如下: XmlDoc.documentElement.selectSingleNode”username” Checkname函数在行233-254，代码如下： Sub Checkname Dim UserEmail Dim Temptr,i,Rs,Sql...