CVE-2024-10081

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints includ...

CVE-2024-33003

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information PII data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a Hi...

CVE-2024-42490

authentik is an open-source Identity Provider. Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this are /api/v3/crypto/certificatekeypairs//viewcertificate/, /api/v3/crypto/certificatekeypairs//viewprivatekey/, and...

CVE-2024-8181

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality...

AWS VDP: Non-Production API Endpoints for the cloudwatch Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The vulnerability allows adversaries to silently enumerate permissions of compromised AWS credentials for the CloudWatch service without generating logs in CloudTrail. Two non-production API endpoints were identified that can be accessed with standard IAM credentials but do not log the activity...

PT-2025-2958 · Easyvirt · Easyvirt Dcscope +1

Name of the Vulnerable Software and Affected Versions: EasyVirt DCScope versions 8.6.0 and earlier EasyVirt CO2Scope versions 1.3.0 and earlier Description: The issue allows remote authenticated attackers to execute arbitrary SQL commands. This can be achieved via various parameters to different...

Exploit for Argument Injection in Atlassian Bitbucket

CVE-2022-36804 - Atlassian Bitbucket Server and Data Center Comm...

PT-2025-5550 · Unknown · Call Now Button

Name of the Vulnerable Software and Affected Versions: Call Now Button versions 1.4.13 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the Call Now Button, allowing unauthorized requests. The estimated number of potentially affected devices is not specified. There is no...

AWS VDP: Non-Production API Endpoints for the bedrock Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The bedrock service was found to have 5 non-production API endpoints that could be used with standard IAM credentials to enumerate permissions without logging to CloudTrail. The impacted endpoints allowed the invocation of bedrock:ListImportedModels and bedrock:ListModelImportJobs actions. This...

BIT-WORDPRESS-MULTISITE-2024-12028

The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website,...

Aviatrix Controllers OS Command Injection Vulnerability

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for listflightpathdestinationinstances, or srccloudtype for flightpathconnectiontest...

CVE-2024-11423 Ultimate Gift Cards for WooCommerce <= 3.0.6 - Missing Authorization to Infinite Money Glitch

The Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates plugin for WordPress is vulnerable to unauthorized modification of data d...

CVE-2024-50603

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for...

CVE-2024-11972 Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin...

automation-gateway: aap-gateway: Improper Scope Handling in OAuth2 Tokens for AAP 2.5

A vulnerability was found in the Ansible Automation Platform AAP. This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansiblebase.oauth2provider for OAuth2 authentication. While th...

PlexTrac 安全漏洞

PlexTrac is a penetration test reporting and management platform from the US-based PlexTrac, Inc. A security vulnerability exists in PlexTrac versions prior to 1.61.3 through 2.8.1, which stems from the presence of a filename or path external control vulnerability that allows an attacker to achie...

SUSE SLES15 Security Update : SUSE Manager Server 4.3 (SUSE-SU-2024:4007-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:4007-1 advisory. release-notes-susemanager: - Update to SUSE Manager 4.3.14 Ubuntu 24.04 support as client Product migration from RHEL and Clones to SUSE Libert...

CVE-2024-47577

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating ...

PT-2024-9906 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.21 and earlier Description: The issue is related to insufficient protection of the web page structure in Adobe Experience Manager, which could allow a remote attacker to execute arbitrary code...

PT-2024-9933 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.21 and earlier Description: The issue is related to insufficient protection of the web page structure in Adobe Experience Manager, which can be exploited by a remote attacker to execute arbitrary code...