CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

431 matches found

Prion•added 2023/02/17 4:15 p.m.•29 views

Deserialization of untrusted data

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. T...

7.5CVSS9.4AI score0.94303EPSS

Exploits5References3Affected Software1

Prion•added 2023/01/18 10:15 p.m.•14 views

Directory traversal

Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server as a server...

4CVSS4.4AI score0.00217EPSS

Exploits0References1Affected Software1

Cvelist•added 2023/01/18 9:10 p.m.•14 views

CVE-2023-0290 Rapid7 Velociraptor directory traversal in client ID parameter

4.8AI score0.00217EPSS

Exploits0References1

Hacker One•added 2023/01/10 3:37 p.m.•132 views

EXNESS: Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account

A vulnerability was discovered where making an API call with double/multiple forward slashes broke server-side restrictions imposed upon a partner account, allowing unrestricted access to the autorebates facility, which was otherwise unavailable to the partner account...

7AI score

Exploits0

Prion•added 2022/12/25 5:15 a.m.•12 views

Design/Logic Flaw

An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can download arbitrary files from the web server by abusing an API call: /DS/LMAPI/api/ConfigurationService/GetImages with an '"ImagesPath":"C:\"' value...

5CVSS7.6AI score0.00397EPSS

Exploits3References1Affected Software1

Veracode•added 2022/11/18 12:48 a.m.•22 views

Privilege Escalation

dolibarr/dolibarr is vulnerable to privilege escalation. The vulnerability exists due to improper authorization checks in the library, allowing an attacker to escalate privileges via crafted API call, leading to account takeover...

9.8CVSS8.9AI score0.00324EPSS

Exploits1References3Affected Software1

OSV•added 2022/09/16 8:27 p.m.•24 views

GHSA-XX9W-464F-7H6F Harbor fails to validate the user permissions when updating a robot account

Impact Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. API call: PUT /robots/robotid By sending a request that attempts to update a robot account, and specifying a robot account id and robot...

6.4CVSS6.3AI score0.00078EPSS

Exploits0References3

Github Security Blog•added 2022/09/16 8:27 p.m.•31 views

Harbor fails to validate the user permissions when updating a robot account

6.4CVSS1.5AI score0.00078EPSS

Exploits0References3Affected Software1

OSV•added 2022/09/16 7:38 p.m.•20 views

GHSA-8C6P-V837-77F6 Harbor fails to validate the user permissions when updating tag immutability policies

Impact Harbor fails to validate the user permissions when updating tag immutability policies - API call: PUT /projects/projectnameorid/immutabletagrules/immutableruleid By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated...

6.4CVSS7.5AI score0.00066EPSS

Exploits0References3

OSV•added 2022/09/16 7:35 p.m.•28 views

GHSA-JF8P-3VJH-PQ94 Harbor fails to validate the user permissions when viewing Webhook policies

Impact Harbor fails to validate the user permissions to view Webhook policies including relevant credentials configured in different projects the user doesn’t have access to, resulting in malicious users being able to read Webhook policies of other users/projects. API call is GET...

7.7CVSS6.3AI score0.00128EPSS

Exploits0References4

Github Security Blog•added 2022/09/16 7:35 p.m.•30 views

Harbor fails to validate the user permissions when viewing Webhook policies

7.7CVSS0.7AI score0.00128EPSS

Exploits0References4Affected Software1

Github Security Blog•added 2022/09/16 7:29 p.m.•36 views

Harbor fails to validate the user permissions when updating tag retention policies

Impact Harbor fails to validate the user permissions when updating tag retention policies. API call: PUT /retentions/id By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modif...

7.7CVSS1.1AI score0.00121EPSS

Exploits0References3Affected Software1

OSV•added 2022/09/16 7:29 p.m.•33 views

GHSA-3637-V6VQ-XQQW Harbor fails to validate the user permissions when updating tag retention policies

7.7CVSS7.5AI score0.00121EPSS

Exploits0References3

Veracode•added 2022/08/15 3:46 p.m.•46 views

CRLF Injection

Undici is is vulnerable to CRLF injection. The vulnerability is due to improper request header content-type sanitization in lib/core/request.js. An attacker can exploit this vulnerability to preform two requests in a single API call...

5.3CVSS6.5AI score0.00165EPSS

Exploits1References4Affected Software1

Veracode•added 2022/07/22 4:38 p.m.•35 views

Privilege Escalation

Zulip is vulnerable to Privilege Escalation. An attacker may exploit the vulnerability by sending a maliciously crafted API call that grants administrator privileges to a bot in control...

8.8CVSS8.3AI score0.00337EPSS

Exploits0References3Affected Software1

Cvelist•added 2022/07/22 1:5 p.m.•16 views

CVE-2022-31168 Zulip Server insufficient authorization for changing bot roles

Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who...

5.4CVSS8.7AI score0.00337EPSS

Exploits0References3