CVE-2024-51560 Improper Error Handling Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message...

CVE-2024-51560

The CVE-2024-51560 issue affects Wave 2.0, stemming from improper exception handling for invalid inputs in a specific API endpoint that processes the userId parameter. An authenticated remote attacker could trigger error messages that leak sensitive information about the targeted system. Document...

CVE-2024-51560 Improper Error Handling Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message...

CVE-2024-51557 No Rate Limiting Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted...

CVE-2024-51557 No Rate Limiting Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted...

PT-2024-34700 · Wave · Wave

Name of the Vulnerable Software and Affected Versions: Wave 2.0 Description: This issue exists due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this by sending multiple OTP requests through the vulnerable API endpoint, leading to OTP...

CVE-2024-10697

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be...

CVE-2024-10697

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be...

CVE-2024-10697 Tenda AC6 API Endpoint WriteFacMac formWriteFacMac command injection

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be...

CVE-2024-10697 Tenda AC6 API Endpoint WriteFacMac formWriteFacMac command injection

A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument mac leads to command injection. The attack can be...

CVE-2024-8185

A flaw was found in HashiCorp Vault. Clusters using Vault’s Integrated Storage backend are vulnerable to a denial of service DoS attack through memory exhaustion through a Raft cluster join API endpoint. This flaw allows an attacker to send a large volume of requests to the endpoint, which may...

GHSA-G233-2P4R-3Q7V Hashicorp Vault vulnerable to denial of service through memory exhaustion

Vault Community and Vault Enterprise “Vault” clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service DoS attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault...

CVE-2024-8185

Vault Community and Vault Enterprise “Vault” clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service DoS attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vaul...

CVE-2024-8185

CVE-2024-8185 affects Vault Community/Enterprise when using Integrated Storage with Raft; memory exhaustion via the cluster-join API can lead to DoS or Vault process crash. Likely impact is loss of service due to memory pressure. Fixes are available: Vault Community 1.18.1 and Vault Enterprise 1....

CVE-2024-10008 Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Missing Authorization to Privilege Escalation

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes ...

PT-2024-15969 · WordPress · Masteriyo - Lms

Name of the Vulnerable Software and Affected Versions: Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress versions up to, and including, 1.13.3 Description: The issue is related to missing authorization checks on the "/wp-json/masteriyo/v1/users/$id" REST API...

CVE-2024-49358

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

CVE-2024-49359

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...

CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...

CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...