CVE-2024-3501

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

CVE-2024-3501 Exposure of Sensitive Information in lunary-ai/lunary

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

Signature Verification Bypass

laravel/reverb is vulnerable to a verification signature bypass. The vulnerability is due to missing verification of request signatures for the Pusher-compatible API endpoints, allows unauthorized requests to bypass security checks and potentially access sensitive functionality...

CVE-2024-48952

An issue was discovered in Logpoint before 7.5.0. SOAR uses a static JWT secret key to generate tokens that allow access to SOAR API endpoints without authentication. This static key vulnerability enables attackers to create custom JWT secret keys for unauthorized access to these endpoints...

GHSA-F3F8-VX3W-HP5Q codechecker vulnerable to authentication bypass when using specifically crafted URLs

Summary Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. Details All...

codechecker vulnerable to authentication bypass when using specifically crafted URLs

Summary Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. Details All...

CVE-2024-10081

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints includ...

CVE-2024-10081

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints includ...

CVE-2024-10081

CodeChecker (analyzer tooling for Clang) is affected by CVE-2024-10081 through version 6.24.1. The vulnerability is an authentication bypass triggered when the API URL ends with Authentication, Configuration, or ServerInfo, allowing superuser access to all API endpoints other than Authentication,...

CVE-2024-51561

This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process...

CVE-2024-51559

This vulnerability exists in the Wave 2.0 due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API input parameters to gain unauthorized access and perform malicious activities on other user accounts...

CVE-2024-51559 Improper Access Control Vulnerability in Wave 2.0

This vulnerability exists in the Wave 2.0 due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API input parameters to gain unauthorized access and perform malicious activities on other user accounts...

PT-2024-34157 · Laravel · Laravel Reverb

Name of the Vulnerable Software and Affected Versions: Laravel Reverb versions prior to 1.4.0 Description: The issue is related to unverified verification signatures for requests sent to Reverb's Pusher-compatible API. This API is used for scenarios such as broadcasting messages or obtaining...

PT-2025-23515 · Hewlett Packard · Hpe Storeonce

Name of the Vulnerable Software and Affected Versions: HPE StoreOnce Software affected versions not specified Description: A server-side request forgery vulnerability exists in HPE StoreOnce Software. This issue allows for exploitation through specific API endpoints, although the exact endpoints...

Fortinet FortiWeb xss (FG-IR-20-122)

The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-20-122 advisory. - An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version...

CVE-2024-49357

CVE-2024-49357 affects ZimaOS (a CasaOS fork) on Zima devices and x86-64 with UEFI. Versions 1.2.4 and earlier expose sensitive data through unauthenticated API endpoints, e.g. /v1/users/image?path=/var/lib/casaos/1/app_order.json and /var/lib/casaos/1/system.json, enabling attackers to view inst...

CVE-2024-7048

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this...

CVE-2024-7048

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this...

Improper Privilege Management

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Privilege Management due to improper privilege management in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. An attacker can view and overwrite files by accessing these endpoints...

CVE-2024-7048 IDOR in open-webui/open-webui

In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this...