GHSA-H924-8G65-J9WG Traefik's X-Forwarded-Prefix Header still allows for Open Redirect

Impact There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. Patches - https://github.com/traefik/traefik/releases/tag/v2.11.14 - https://github.com/traefik/traefik/releases/tag/v3.2.1 Workarounds No workaround. For more...

Synology DiskStation Manager (DSM) File Disclosure Vulnerability (Synology-SA-24:20) - Remote Known Vulnerable Versions Check

Synology DiskStation Manager DSM is prone to a file disclosure vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2024-42760

SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component...

CVE-2024-37768

CVE-2024-37768 affects 14Finger v1.1: an arbitrary user deletion vulnerability exists via the endpoint /api/admin/user?id. The CVE entry lists a CRITICAL impact (CVSS v3.1: 9.1) with network access, no user interaction, and no privileges required; impacts include high integrity and high availabil...

CVE-2024-31621

An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component...

CVE-2024-31621

An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component...

CVE-2024-3039

Affected software: Shanghai Brad Technology BladeX 3.4.0. Vulnerable component: API endpoint /api/blade-user/export-user. Root cause: SQL injection via input manipulation using updatexml(1,concat(0x3f,md5(123456),0x3f),1)=1). Impact: potential remote exploitation allowing unauthorized access or d...

CVE-2024-24131

SuperWebMailer v9.31.0.01799 was discovered to contain a reflected cross-site scripting XSS vulenrability via the component api.php...

CVE-2024-1262

A vulnerability, which was classified as critical, has been found in Juanpao JPShop up to 1.5.02. This issue affects the function actionUpdate of the file /api/controllers/merchant/design/MaterialController.php of the component API. The manipulation of the argument picurl leads to unrestricted...

Out-of-bounds

A vulnerability, which was classified as critical, has been found in Juanpao JPShop up to 1.5.02. This issue affects the function actionUpdate of the file /api/controllers/merchant/design/MaterialController.php of the component API. The manipulation of the argument picurl leads to unrestricted...

CVE-2024-1263

The CVE-2024-1263 entry concerns Juanpao JPShop (up to v1.5.02). The vulnerability is in the API component, specifically the function actionUpdate in /api/controllers/merchant/shop/PosterController.php, where manipulation of the pic_url argument allows unrestricted file uploads. Impact is describ...

Design/Logic Flaw

A vulnerability classified as critical has been found in Juanpao JPShop up to 1.5.02. This affects the function actionIndex of the file /api/controllers/admin/app/ComboController.php of the component API. The manipulation of the argument picurl leads to unrestricted upload. It is possible to...

CVE-2024-1261

Juanpao JPShop up to version 1.5.02 contains a vulnerability in the API component, specifically the actionIndex function in /api/controllers/merchant/app/ComboController.php. The issue arises from manipulation of the pic_url parameter, enabling unrestricted file uploads. The vulnerability is expl...

CVE-2024-1258

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWTKEYADMIN leads to use of hard-coded cryptographic k...

Out-of-bounds

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/controllers/admin/app/AppController.php of the component API. The manipulation of the argument apppicurl leads to unrestricted upload. The...

CVE-2024-24593

A cross-site request forgery CSRF vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to...

CVE-2023-42358

An issue was discovered in O-RAN Software Community ric-plt-e2mgr in the G-Release environment, allows remote attackers to cause a denial of service DoS via a crafted request to the E2Manager API component...

Exploit for Server-Side Request Forgery in Rbaskets Request_Baskets

SSRF Vulnerability Exploit for Request-Baskets CVE-2023-27163...

Design/Logic Flaw

An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component...

SUSE CVE-2021-35597

Vulnerability in the MySQL Client product of Oracle MySQL component: C API. Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this...