CVE-2024-1879

A Cross-Site Request Forgery CSRF vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a us...

CVE-2024-1879 CSRF to RCE in significant-gravitas/autogpt

A Cross-Site Request Forgery CSRF vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a us...

CVE-2024-1879

CVE-2024-1879 affects significant-gravitas/autogpt (v0.5.0). Root cause: unprotected API endpoint that receives instructions, enabling CSRF to bypass protections and allow an attacker to induce a user in the local network to issue crafted requests that can lead to remote command execution. Compou...

PT-2024-18648 · Zenml Io · Zenml

Name of the Vulnerable Software and Affected Versions: zenml-io/zenml versions up to and including 0.55.3 Description: A race condition issue exists, allowing for the creation of multiple users with the same username when requests are sent in parallel. This is due to insufficient handling of...

PT-2024-35320 · Lunary Ai · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.5 Description: An improper access control issue exists due to a missing permission check in the "GET /v1/users/me/org" endpoint. The platform's role definitions restrict the Prompt Editor role to prompt management...

PT-2024-23319 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: An improper authorization issue exists in the mintplex-labs/anything-llm application, specifically within the "/api/v/" endpoint and its sub-routes. This flaw allows...

PT-2024-18651 · Zenml Io · Zenml

Name of the Vulnerable Software and Affected Versions: zenml-io/zenml version 0.55.3 Description: An improper authorization issue exists in the zenml-io/zenml repository, specifically within the API "PUT /api/v1/users/id" endpoint. This issue allows any authenticated user to modify the informatio...

PT-2024-18387 · Significant Gravitas · Autogpt

Name of the Vulnerable Software and Affected Versions: significant-gravitas/autogpt version v0.5.0 Description: A Cross-Site Request Forgery CSRF issue allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint...

PT-2024-19294

Name of the Vulnerable Software and Affected Versions Harbor versions 2.8.1 through 2.8.5 Harbor versions 2.9.0 through 2.9.3 Harbor versions 2.10.0 through 2.10.1 Description A SQL Injection issue allows users with administrator, project admin, or project maintainer roles to execute any Postgres...

CVE-2024-36108

casgate is an Open Source Identity and Access Management system. In affected versions casgate allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR 201 which is pending merge. An attacker could use id paramet...

CVE-2024-36108 Multiple Broken Function-Level Authorization vulnerabilities in casgate

casgate is an Open Source Identity and Access Management system. In affected versions casgate allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR 201 which is pending merge. An attacker could use id paramet...

CVE-2024-36108 Multiple Broken Function-Level Authorization vulnerabilities in casgate

casgate is an Open Source Identity and Access Management system. In affected versions casgate allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR 201 which is pending merge. An attacker could use id paramet...

The vulnerability of the Cisco Nexus Dashboard, a platform for analytics and automation of cloud computing data centers, stems from deficiencies in access control. This allows unauthorized individuals to gain unauthorized access to protected information.

The vulnerability of the Cisco Nexus Dashboard analytics and cloud-based data center automation platform is related to deficiencies in access control to the final API endpoint. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information by sending...

PT-2024-36060 · Unknown · Phpmybackuppro

Name of the Vulnerable Software and Affected Versions: PhpMyBackupPro version 2.3 Description: A vulnerability has been discovered that could allow an attacker to execute XSS through the "/phpmybackuppro/scheduled.php" API endpoint, utilizing all parameters. This issue could enable an attacker to...

PT-2024-26234 · F Logic · F-Logic Datacube3

Name of the Vulnerable Software and Affected Versions: F-logic DataCube3 version 1.0 Description: The issue concerns a file upload vulnerability via the /admin/transceiver schedule.php API endpoint. This allows for potential malicious file uploads. No information is provided about the estimated...

CVE-2024-34029

Mattermost versions 9.5.x /channels//link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team...

CVE-2024-34029 AD/LDAP Group Members Leak

Mattermost versions 9.5.x /channels//link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team...

Debezium UI 2.5 Credential Disclosure

Exploit Title: Debezium UI - Credential Leakage Google Dork: N/A Date: 2024-03-11 Exploit Author: Ihsan Cetin, Hamza Kaya Toprak Vendor Homepage: https://debezium.io/ Software Link: N/A Version: 2.5 REQUIRED Tested on: N/A CVE : CVE-2024-28736 Proof of concept: Details Debezium-ui version 2.5 is...

PT-2024-26473 · Totolink · Totolink Lr350

Name of the Vulnerable Software and Affected Versions: TOTOLINK LR350 version 9.3.5u.6369 B20220309 Description: A stack overflow issue was discovered via the http host parameter in the loginAuth function. Recommendations: For TOTOLINK LR350 version 9.3.5u.6369 B20220309, as a temporary workaroun...

PT-2024-26547 · Idccms · Idccms

Name of the Vulnerable Software and Affected Versions: idccms version 1.35 Description: The issue is related to a Cross-Site Request Forgery CSRF in the /admin/ca deal.php component. The API Endpoint "/admin/ca deal.php" is vulnerable, specifically with parameters mudi=del and empty dataType and...