Multiple Unauthenticated Remote Code Control and Execution Vulnerabilities in Multiple Cisco Products

What’s up? On Feb. 24, 2021, Cisco released many patches for multiple products, three of which require immediate attention by organizations if they are running affected systems and operating system/software configurations. They are detailed below: Cisco ACI Multi-Site Orchestrator Application...

Authentication flaw

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator MSO installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The vulnerability is due to improper token validation on a specific API endpoint...

CVE-2020-16629

PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...

Cisco Data Center Network Manager SQL Injection Vulnerability (CNVD-2021-09940)

Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A SQL injection vulnerability exists in the REST API endpoint of Cisco Data Center...

Cisco Data Center Network Manager Path Traversal Vulnerability (CNVD-2021-09308)

Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A path traversal vulnerability exists in one of the REST API endpoints in Cisco Da...

Enjin: Unrestricted Upload of File with Dangerous Type

The security researcher was able to execute CWE-434: Unrestricted Upload of File with Dangerous Type through a legacy API endpoint used to upload images. This file was directly upload to our CDN with the appropriate MIME time of the file...

h1-ctf: A Visit from The Grinch ~ 'Twas the night before Hackmas...

Foreword This was an amazing CTF! The first from Hackerone that I've finished and one that I have enjoyed the most. Huge shout out to @adamtlangley for creating this downright poetic challenge. My whopping 20+ invitations are already being put to good use. Hacky Holidays and Merry Hackmas! Flag 1...

h1-ctf: Hacky Holidays Writeup

On December 12th, 2020, the CTF became live and the scope that we are allowed to attack was In Scope Domain - hackyholidays.h1ctf.com Our main motive was to infiltrate his network and take him down. The challenges appeared one by one till 24th of December. Here we will be going through all the...

U.S. Dept Of Defense: Sending trusted ████ and ██████████ emails through public API endpoint in ███████ site

Summary: A publicly accessible endpoint at PUT https://████████does not validate any of its four parameters: to, from, subject, text. This enables sending email to any address, with any content, with any from address, on a server that is in ██████whitelist. Such services include, but are not...

h1-ctf: [h1-ctf] 12 Days of Adventure to stop Grinch from ruining Christmas

--------------------------------------------------------------------------------------------------------------------------------------------------- Day 1: https://hackyholidays.h1ctf.com/robots.txt User-agent: Disallow: /s3cr3t-ar3a Flag: flag48104912-28b0-494a-9995-a203d1e261e7 Here we go with t...

CVE-2020-35579

tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a reque...

Cross site request forgery (csrf)

tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a reque...

CVE-2020-35579

CVE-2020-35579 affects tindy2013 subconverter 0.6.4. The API endpoint /sub?target=%TARGET%&url=%URL%&config=%CONFIG% accepts an arbitrary URL value and issues a GET request for it, but does not account for the external request target redirecting back to the original /sub endpoint. This can create...

CVE-2020-35579

tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a reque...

CVE-2020-26176

An issue was discovered in tangro Business Workflow before 1.18.1. No or broken access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to...

CVE-2020-26176

An issue was discovered in tangro Business Workflow before 1.18.1. No or broken access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to...

CVE-2020-26176

The vulnerability CVE-2020-26176 affects tangro Business Workflow prior to 1.18.1. It arises from missing/broken access control on the /api/document//attachments endpoint, allowing an attacker who knows a document ID to enumerate all attachments for that work item and obtain their IDs. Impact as ...

Security Bulletin: IBM Cloud Functions web actions API endpoint change

Summary In order to improve the stability of the service and to prevent potential weaknesses in the services' web actions functionality we introduced a new IBM Cloud Functions API endpoint .functions.appdomain.cloud for web actions which use text/html response data. The previously used API endpoi...

U.S. Dept Of Defense: IDOR on https://██████ via POST UID enables database scraping

Summary: The UID parameter on █████████ in the ██████ ███████ system, with ███████, does not validate that the caller has permission to view information on the UID entered, thereby enabling personnel and student data extraction. Description: The user operations API endpoint for the ███ ██████████...

PT-2020-17155 · Zeroshell · Zeroshell

Name of the Vulnerable Software and Affected Versions: Zeroshell version 3.9.3 Description: The issue allows an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character in the /cgi-bin/kerbynet API endpoint, specifically through the StartSessionSubm...