CVE-2024-11662

CVE-2024-11662 affects welliamcao OpsManage, specifically the deploy_host_vars function in /apps/api/views/deploy_api.py of the API Endpoint. A deserialization vulnerability exists in versions 3.0.1–3.0.5 that can be exploited remotely; exploitation details have been publicly disclosed. Connected...

CVE-2024-11662 welliamcao OpsManage API Endpoint deploy_api.py deploy_host_vars deserialization

A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. It has been rated as critical. This issue affects the function deployhostvars of the file /apps/api/views/deployapi.py of the component API Endpoint. The manipulation leads to deserialization. The attack may be...

CVE-2024-11662 welliamcao OpsManage API Endpoint deploy_api.py deploy_host_vars deserialization

A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. It has been rated as critical. This issue affects the function deployhostvars of the file /apps/api/views/deployapi.py of the component API Endpoint. The manipulation leads to deserialization. The attack may be...

PT-2024-34601 · Gibbon · Gibbon

Name of the Vulnerable Software and Affected Versions: Gibbon versions prior to 28.0.00 Description: The issue allows a remote attacker to obtain sensitive information via the email parameter found in the "/Gibbon/modules/User Admin/user manage editProcess.php" API endpoint. Recommendations: For...

CVE-2020-26063 Cisco Integrated Management Controller Software Authorization Bypass Vulnerability

A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization. The vulnerability is due to improper authorization checks on API endpoints. An attack...

GHSA-J3VQ-PMP5-R5XJ Missing ratelimit on passwrod resets in zenml

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...

CVE-2024-4311

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...

CVE-2024-4311

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...

CVE-2024-4311 Lack of login attempt rate-limiting in zenml-io/zenml

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...

CVE-2024-4311

ZenML 0.56.4 is affected by CVE-2024-4311 due to no rate-limiting on the password-change flow, enabling brute-forcing of the current password via /api/v1/current-user and potentially taking over the user account. Affected component: password update function. Impact: account takeover with unauthen...

CVE-2024-52302

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper...

CVE-2024-40404

Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established...

CVE-2024-46894

CVE-2024-46894 – SINEC INS unauthorized access vulnerability. Affects Siemens SINEC INS all versions before V1.0 SP2 Update 3. The application does not properly validate a user’s authorization to query the "/api/sftp/users" endpoint, enabling an authenticated remote attacker to view the configure...

PT-2024-29684 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.9 Mattermost versions 9.10.x through 9.10.2 Mattermost versions 9.11.x through 9.11.1 Mattermost versions 10.0.x through 10.0.0 Description: The issue allows a User or System Manager with "Read Groups"...

Mars: Customer Data Exposure via Insecure Endpoint of coupon

A security vulnerability was identified in the Royal Canin Greece website. An insecure API endpoint was exposed that allowed unauthorized access to customer information without requiring authentication. The endpoint related to coupon functionality and revealed sensitive customer data, including...

Mars: change part of personal information all users

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of...

PT-2024-16672 · Unknown · 1000 Projects Bookstore Management System

Name of the Vulnerable Software and Affected Versions: 1000 Projects Bookstore Management System version 1.0 Description: A critical issue affects some unknown functionality of the file /admin/login process.php of the component Login. The manipulation of the argument unm leads to SQL injection. T...

CVE-2024-51557

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted...

CVE-2024-51560

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message...

CVE-2024-51557

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted...