CVE-2024-47654 No Rate Limiting vulnerability

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...

CVE-2024-47654 No Rate Limiting vulnerability

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead...

CVE-2024-47651

This vulnerability exists in Shilpi Client Dashboard due to improper handling of multiple parameters in the API endpoint. An authenticated remote attacker could exploit this vulnerability by including multiple “userid” parameters in the API request body leading to unauthorized access of sensitive...

CVE-2024-47651

CVE-2024-47651 affects Shilpi Client Dashboard. The issue is improper handling of multiple parameters in the API endpoint, allowing an authenticated remote attacker to include multiple distinct userid parameters in the request body to gain unauthorized access to other users’ information. Descript...

CVE-2024-47911

In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands...

Open Redirect

scoutbrowser is vulnerable to Open Redirect. The vulnerability is due to inadequate input validation and sanitization in the /login API endpoint, which does not properly handle the next parameter, and lack of scheme validation, which allows for both open redirects and HTTPS downgrade attacks...

CVE-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

PT-2024-25955 · Mastodon · Mastodon

Name of the Vulnerable Software and Affected Versions: Mastodon version 4.1.6 Description: The issue allows API endpoint rate limiting to be bypassed by setting a crafted HTTP request header. Recommendations: For Mastodon version 4.1.6, as a temporary workaround, consider restricting access to AP...

CVE-2024-34535

CVE-2024-34535 affects Mastodon 4.1.6. The issue allows bypassing API endpoint rate limiting by sending a crafted HTTP request header. Impact is described as potential exposure of higher-level access due to rate-limiting bypass, with CVSSv3.1 indicating Network attack, High confidentiality impact...

CVE-2024-20477

A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to upload or delete files on an affected device. This vulnerability exists because of missing authorization controls on the affected REST API endpoint. An attacker could...

CVE-2024-20441 Cisco Nexus Dashboard Fabric Controller Unauthorized API Endpoint Vulnerability

A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to learn sensitive information on an affected device. This vulnerability is due to insufficient authorization controls on the affected REST API endpoint. An attacker could...

Grafana Labs Incorrect Permission (cve-2024-8118)

The version of Grafana Labs installed on the remote host is prior to 10.3.10, 10.4.9, 11.0.5, 11.1.6, or 11.2.1. It is, therefore, affected by a vulnerability as referenced in the cve-2024-8118 advisory. - In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing...

PT-2024-10154 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 11.8 through 17.4.6 GitLab CE/EE versions 17.5 through 17.5.4 GitLab CE/EE versions 17.6 through 17.6.2 Description: The issue is related to an open redirect vulnerability in a GitLab CE/EE API endpoint. This could allow...

CVE-2024-46635

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter...

CVE-2024-47530 Scout contains an Open Redirect on Login via `next`

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lac...

CVE-2024-47530 Scout contains an Open Redirect on Login via `next`

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lac...

CVE-2024-46635

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter...

CVE-2024-46635

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter...

CVE-2024-46635

INROAD prior to v202402060 has a vulnerability in the API endpoint /AccountMaster/GetCurrentUserInfo where a crafted payload to the UserNameOrPhoneNumber parameter can cause inadvertent exposure of sensitive information. Affected: INROAD versions before 202402060; impact described as accessing se...

CVE-2024-8350 Uncanny Groups for LearnDash <= 6.1.0.1 - Missing Authorization to Authenticated (Group Leader+) User Group Add

The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgmmanagement/v1/adduser/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group...