CVE-2022-24848

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

CVE-2022-24848 SQL Injection in DHIS2's in OrgUnit program association

DHIS2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability affects the /api/programs/orgUnits?programs= API endpoint in DHIS2 versions prior to 2.36.10.1 and 2.37.6.1. The system is vulnerable to attack only from...

GHSA-MG2C-RC36-P594 Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter...

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter...

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event...

GHSA-57WW-2CVR-WV38 Jenkins Job Import Plugin vulnerable to exposure of sensitive information

Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

Jenkins Job Import Plugin vulnerable to exposure of sensitive information

Jenkins Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

GHSA-VHH3-MVC4-HHQ6 Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks

Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data...

Account Takeover

Description In this case i found that api endpoint Leaking password and username. Proof of Concept 1. An Admin add a new secretary with access to providers 2. Secretary send a post request to https://demo.easyappointments.org/index.php/backendapi/ajaxgetcalendarappointments endpoint 3. If selecte...

CVE-2021-39390

CVE-2021-39390 describes a Stored XSS in PartKeepr 1.4.0. The vulnerability arises in the edit module where multiple API endpoints accept a name parameter without proper sanitization/validation, allowing injection of JavaScript that can be executed in the client browser. Affected software: PartKe...

CVE-2021-45839

It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X 4.2.15-2107141517 as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint...

Design/Logic Flaw

It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X 4.2.15-2107141517 as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint...

CVE-2021-45842

The CVE-2021-45842 issue affects Terramaster TOS on F4-210 and F2-210 devices running 4.2.X (4.2.15-2107141517). A request to the endpoint /module/api.php?mobile/wapNasIPS can disclose sensitive data, including the first administrator hash and other network identifiers (MAC address, internal IP)....

Command Injection

npm-dependency-versions is vulnerable to command injection. The vulnerability exists due to a lack of sanitization of input via the API endpoint via the dependencyVersions function...

Gardener 访问控制错误漏洞

Gardener is an open source Kubernetes cluster management tool. The product supports managing, monitoring, and updating Kubernetes clusters. Gardener suffers from an Access Control Error vulnerability that allows an attacker to incorrectly access the application. Configuration is leaked via a /api...

PT-2022-17942 · Mingsoft · Mingsoft Mcms

Name of the Vulnerable Software and Affected Versions: Mingsoft MCMS version 5.2.7 Description: A SQL injection issue was discovered in Mingsoft MCMS. The issue is related to the /cms/content/list API endpoint. Recommendations: For Mingsoft MCMS version 5.2.7, consider restricting access to the...

CVE-2021-20238

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint port 22623 provides ignition configuration used for bootstrapping Nodes and can include some sensitive data,...

Design/Logic Flaw

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint port 22623 provides ignition configuration used for bootstrapping Nodes and can include some sensitive data,...