CVE-2024-31978

A vulnerability has been identified in SINEC NMS All versions V2.0 SP2. Affected devices allow authenticated users to export monitoring data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download files from the file system. Under...

CVE-2024-3508

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

PT-2024-24132 · Unknown · Computer Laboratory Management System

Name of the Vulnerable Software and Affected Versions: Computer Laboratory Management System version 1.0 Description: A stored cross-site scripting XSS issue allows attackers to execute arbitrary JavaScript code by including malicious payloads into remarks, borrower name, faculty department...

PT-2024-22373 · Web-Flash · Web-Flash

Name of the Vulnerable Software and Affected Versions: web-flash version 3.0 Description: An issue in web-flash allows attackers to reset passwords for arbitrary users via a crafted POST request to "/prod-api/user/resetPassword". Recommendations: For web-flash version 3.0, consider disabling the...

CVE-2023-4605

The CVE-2023-4605 case describes an vulnerability in Lenovo XClarity Administrator (LXCA) where a valid authenticated LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information. Affected component: LXCA’s API surface exposing system event data. Root ca...

CVE-2023-4605

A valid authenticated Lenovo XClarity Administrator LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information...

GHSA-W67V-PH4X-F48Q Mattermost Server Improper Access Control

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

CVE-2024-20283

A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device. This vulnerability is due to improper access controls on a specific API endpoint. An attacker could exploit this vulnerability by sending queries t...

CVE-2024-20283

Cisco Nexus Dashboard contains an information-disclosure vulnerability (CVE-2024-20283) due to improper access controls on a specific API endpoint. An authenticated remote attacker could query the API to access metrics and deployment information for devices within the Nexus Dashboard cluster. The...

Cisco Nexus Dashboard Information Disclosure Vulnerability

A vulnerability in Cisco Nexus Dashboard could allow an authenticated, remote attacker to learn cluster deployment information on an affected device. This vulnerability is due to improper access controls on a specific API endpoint. An attacker could exploit this vulnerability by sending queries t...

PT-2024-3859 · Cisco · Cisco Nexus Dashboard

Name of the Vulnerable Software and Affected Versions: Cisco Nexus Dashboard affected versions not specified Description: The issue is related to insufficient access controls on a specific API endpoint, allowing a remote attacker to gain unauthorized access to protected information by sending...

CVE-2024-1522

A Cross-Site Request Forgery CSRF vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /executecode API endpoint, which does not properly validate requests, enabling an attacker to craft a...

CVE-2024-1522

A Cross-Site Request Forgery CSRF vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /executecode API endpoint, which does not properly validate requests, enabling an attacker to craft a...

CVE-2024-1522 Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui

A Cross-Site Request Forgery CSRF vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /executecode API endpoint, which does not properly validate requests, enabling an attacker to craft a...

VulnCheck KEV: CVE-2020-12124

A remote command-line injection vulnerability in the /cgi-bin/liveapi.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication...

PT-2024-23336 · Shanghai Brad Technology · Bladex

Name of the Vulnerable Software and Affected Versions: Shanghai Brad Technology BladeX version 3.4.0 Description: A critical vulnerability has been found in the API component of Shanghai Brad Technology BladeX, specifically affecting an unknown function of the file /api/blade-user/export-user. Th...

PT-2024-3766 · Grafana +6 · Grafana +6

Name of the Vulnerable Software and Affected Versions: Grafana versions 9.5.0 through 9.5.17 Grafana versions 10.0.0 through 10.0.12 Grafana versions 10.1.0 through 10.1.8 Grafana versions 10.2.0 through 10.2.5 Grafana versions 10.3.0 through 10.3.4 Description: The issue is related to a Broken...

OESA-2024-1302 docker security update

Docker is an open source project to build, ship and run any application as a lightweight container. Security Fixes: Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch...

PT-2024-21447 · WordPress · Instawp Connect

Name of the Vulnerable Software and Affected Versions: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.22 Description: The issue is related to arbitrary file uploads due to insufficient file validation in the...

CVE-2024-28715

Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows a remote attacker to execute arbitrary code via the markdown0 function in the /app/public/apidoc/oas3/wrap-components/markdown.jsx endpoint...