PT-2023-25062 · H3C · H3C Magic

Name of the Vulnerable Software and Affected Versions: H3C Magic version B1STV100R012 Description: A stack overflow in the UpdateWanParams function allows attackers to cause a Denial of Service DoS via a crafted POST request to an unspecified API endpoint. Recommendations: For version B1STV100R01...

PT-2023-25060 · H3C · H3C Magic

Name of the Vulnerable Software and Affected Versions: H3C Magic B1STV100R012 affected versions not specified Description: A stack overflow in the EditWlanMacList function allows attackers to cause a Denial of Service DoS via a crafted POST request to the API endpoint. The issue is related to the...

CVE-2023-2744

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

PT-2023-11501 · Jymusic · Jymusic

Name of the Vulnerable Software and Affected Versions: Jymusic version 2.0.0 Description: A cross-site request forgery CSRF issue allows attackers to execute arbitrary code via the "/admin.php?s=/addons/config.html&id=6" API endpoint to modify payment information. This can be achieved by exploiti...

Dos via Document Comments

Description An attacker can abuse the document comment functionality, handled by the /api/comments.create API endpoint, since there is not size check or validation of the comment contents, which allows an attacker to send a comment with almost an unlimited number of characters1MB max POST size...

PT-2023-22484 · Laravel-S · Laravel-S

Name of the Vulnerable Software and Affected Versions: laravel-s versions prior to 3.7.36 Description: The issue is related to Local File Inclusion, which can be exploited via the /src/Illuminate/Laravel.php API endpoint. Recommendations: For versions prior to 3.7.36, update to version 3.7.36 or...

PT-2023-36196 · Salt · Salt

Name of the Vulnerable Software and Affected Versions: salt versions prior to 3006.0 Description: The issue is related to several problems in the salt software, including collections Mapping issues, conflicts with dependencies, and failures due to the unavailability of the transactional update...

Mars: CSRF to delete a pet

The /kisallataim/ANIMALID/delete API endpoint at myroyalcanin.hu was found to be vulnerable to Cross-Site Request Forgery CSRF attacks. This vulnerability could have been exploited to delete a user's pet from their account without their knowledge or consent...

PT-2023-21411 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue allows an authenticated attacker to edit an arbitrary channel post when creating a playbook run via the "/dialog API" endpoint. This is due to Mattermost's failure to validate...

CVE-2023-34747

File upload vulnerability in ujcms 6.0.2 via /api/backend/core/web-file-upload/upload...

PT-2023-4271 · Totolink · Totolink A7100Ru

Name of the Vulnerable Software and Affected Versions: TOTOLink A7100RU version V7.4cu.2313 B20191024 Description: The issue is related to the lack of input data sanitization in the staticGw function of the TOTOLink A7100RU router's firmware. This allows a remote attacker to exploit the...

PT-2023-18812 · Vcita · Online Booking & Scheduling Calendar For Wordpress

Name of the Vulnerable Software and Affected Versions: The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.2.10 Description: The issue allows unauthorized modification of data via the "/wp-json/vcita-wordpress/v1/actions/auth"...

CVE-2023-28345

An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to t...

PT-2023-24425 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the SetMobileAPInfoById interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, consider...

PT-2023-24418 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the ipqos lanip dellist interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, as a...

PT-2023-24421 · H3C · H3C Magic R300

Name of the Vulnerable Software and Affected Versions: H3C Magic R300 version R300-2100MV100R004 Description: A stack overflow issue was discovered via the "UpdateMacClone" interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R300 version R300-2100MV100R004, consider...

CVE-2023-28345

CVE-2023-28345 affects Faronics Insight 10.0.19045 on Windows, where the Insight Teacher Console exposes the teacher’s password in cleartext via a localhost API endpoint. An attacker with physical access can open a browser, access the endpoint, and obtain the password, enabling login to the Teach...

CVE-2023-28345

An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application exposes the teacher's Console password in cleartext via an API endpoint accessible from localhost. Attackers with physical access to the Teacher Console can open a web browser, navigate to t...

Cross-site Scripting (XSS)

SSCMS is vulnerable to Cross-site Scripting XSS. The vulnerability exists because of the improper sanitization in the ajaxDivId argument in the Submit function of ActionsSearchController.Submit.cs, which allows an attacker to inject and execute malicious javascript through the...

PT-2023-24495 · Netbox · Netbox

Name of the Vulnerable Software and Affected Versions: Netbox version 3.5.1 Description: A stored cross-site scripting XSS issue exists in the Create Site Groups function, specifically at the /dcim/site-groups/ API endpoint, allowing attackers to execute arbitrary web scripts or HTML by injecting...