PT-2024-3428 · Linksys · Linksys E5600

Name of the Vulnerable Software and Affected Versions: Linksys E5600 version 1.1.0.26 Description: The issue is related to a command injection vulnerability via the ipurl parameter at the "/API/info" form endpoint. This vulnerability is associated with the lack of neutralization of special elemen...

CVE-2024-3508

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

CVE-2024-3508 Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

CVE-2024-3508

CVE-2024-3508 concerns Bombastic: authenticated users can upload compressed (bzip2 or zstd) SBOMs via the API, with verification that requires decompression of the uploaded file first. The vulnerability centers on the upload endpoint and its handling of compressed content, enabling a partial impa...

SQL Injection

umbraco is vulnerable to SQL injection. The vulnerability is due to insufficient input validation in API endpoint handling, that allows attackers to inject SQL code through modified requests...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to a particular API endpoint modification by authenticated backoffice users, which allows the inclusion and execution of arbitrary SQL commands without proper sanitization or validation. An attacker can manipulate...

Umbraco Workflow's Backoffice users can execute arbitrary SQL

Impact Backoffice users can execute arbitrary SQL. Explanation of the vulnerability A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server. Affected versions All versions Patches Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2...

CVE-2024-32872 Umbraco Workflow's Backoffice users can execute arbitrary SQL

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6,...

CVE-2024-32872 Umbraco Workflow's Backoffice users can execute arbitrary SQL

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6,...

CVE-2024-32872

Umbraco Workflow (and Plumber) are affected by an SQL injection vulnerability where a Backoffice user can modify requests to a specific API endpoint to inject SQL that is executed on the server. Affected versions prior to fixed releases include Umbraco Workflow 10.3.9, 12.2.6, and 13.0.6, and Plu...

PT-2024-22681 · Memos · Memos

Name of the Vulnerable Software and Affected Versions: memos versions 0.13.2 through 0.16.0 Description: The issue is related to a Server-Side Request Forgery SSRF vulnerability. It exists at the "/o/get/httpmeta" API endpoint, allowing unauthenticated users to enumerate the internal network and...

PT-2024-23687 · Fudforum · Fudforum

Name of the Vulnerable Software and Affected Versions: FUDforum version 3.1.3 Description: A stored cross-site scripting XSS vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SQL statements field under the "/adm/admsql.php" API endpoin...

PT-2024-23708 · Unknown · Phpgurukul Complaint Management System

Name of the Vulnerable Software and Affected Versions: phpgurukul Client Management System version 1.1 Description: The issue allows attackers to execute arbitrary code and obtain sensitive information. This is achieved via the fromdate and todate parameters in the "/bwdates-reports-ds.php" API...

Directory traversal in zenml

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The...

CVE-2024-2083

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The...

CVE-2024-1665

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2024-1738

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation...

CVE-2024-1738

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation...

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...