Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to...

Flowise Cross-site Scripting in/api/v1/credentials/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...

Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used unauthenticated, an attacker may be able...

CVE-2024-38878

A vulnerability has been identified in Omnivise T3000 Application Server R9.2 All versions, Omnivise T3000 R8.2 SP3 All versions, Omnivise T3000 R8.2 SP4 All versions. Affected devices allow authenticated users to export diagnostics data. The corresponding API endpoint is susceptible to path...

CVE-2024-38878

A vulnerability has been identified in Omnivise T3000 Application Server R9.2 All versions, Omnivise T3000 R8.2 SP3 All versions, Omnivise T3000 R8.2 SP4 All versions. Affected devices allow authenticated users to export diagnostics data. The corresponding API endpoint is susceptible to path...

Ubuntu: Security Advisory (USN-6935-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-6935-1: Prometheus Alertmanager vulnerability

It was discovered that prometheus-alertmanager didn't properly sanitize input it received through an API endpoint. An attacker with permission to send requests to this endpoint could potentially inject arbitrary code. On Ubuntu 20.04 LTS and Ubuntu 22.04 LTS, this vulnerability is only present if...

Amazon Linux 2 : docker (ALASNITRO-ENCLAVES-2024-041)

The version of docker installed on the remote host is prior to 25.0.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2024-041 advisory. 2025-01-04: CVE-2024-36620 was added to this advisory. 2025-01-04: CVE-2024-36623 was added to this advisory...

CVE-2024-7297 Langflow Privilege Escalation

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint...

PT-2024-38245 · Langflow · Langflow

Name of the Vulnerable Software and Affected Versions: Langflow versions prior to 1.0.13 Description: The issue allows a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the "/api/v1/users" endpoint. Recommendations: For Langflow version...

CVE-2024-40422

The snapshotpath parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshotpath parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized...

CVE-2024-40422

The snapshotpath parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshotpath parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized...

PT-2024-28842 · Unknown · Stitionai/Devika

Name of the Vulnerable Software and Affected Versions: stitutionai devika version v1 Description: The issue concerns a path traversal attack through the snapshot path parameter in the "/api/get-browser-snapshot" endpoint. This allows an attacker to manipulate the snapshot path parameter, traverse...

CVE-2024-40634

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to...

PT-2024-5343 · D Link · D-Link Dir-823X Ax3000 Dual-Band Gigabit Wireless Router

Name of the Vulnerable Software and Affected Versions: D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router version v21 D240126 Description: The issue is related to a remote code execution vulnerability in the ntp zone val parameter at the /goform/set ntp API endpoint. This vulnerability can ...

PT-2025-2795 · Edimax · Edimax Ac1200 Wi-Fi 5 Dual-Band Router Br-6476Ac

Name of the Vulnerable Software and Affected Versions: Edimax AC1200 Wi-Fi 5 BR-6476AC version 1.06 Description: The issue is related to a buffer overflow due to the lack of input size validation. This can be exploited by a remote attacker to cause a denial of service or execute arbitrary command...

CVE-2024-40633

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve ord...

CVE-2024-40633 Customer data leak via adjustments API endpoint in Sylius

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve ord...

PT-2024-28854 · Thinksaas · Thinksaas

Name of the Vulnerable Software and Affected Versions: ThinkSAAS version 3.7.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the name parameter at the "/system/action/update.php" API endpoint. Recommendations: For ThinkSAAS version...

PT-2024-28728 · Fog · Fog

Name of the Vulnerable Software and Affected Versions: FOG versions prior to 1.5.10.34 Description: The issue is related to a command injection via the filename parameter to the "/fog/management/export.php" API endpoint. This allows for code execution. The estimated number of potentially affected...