Fortinet FortiAIOps Log Information Disclosure Vulnerability

Fortinet FortiAIOps is a Fortinet networking solution that combines artificial intelligence and machine learning AI/ML from Fortinet. A log information disclosure vulnerability exists in Fortinet FortiAIOps version 2.0.0, which stems from an application that does not adequately protect sensitive...

CVE-2024-5714

CVE-2024-5714 - Lunary in lunary-ai/lunary v1.2.4 is an improper access control vulnerability. Members with team management permissions can manipulate project identifiers in requests, enabling actions such as inviting users to projects in other organizations and changing members to projects with ...

CVE-2024-5714 Improper Access Control in lunary-ai/lunary

In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...

PT-2024-27707 · Tessi · Tessi Docubase Document Management

Name of the Vulnerable Software and Affected Versions: Tessi Docubase Document Management product versions 5.x Description: The issue allows a remote attacker to execute arbitrary code via the idactivity parameter, which is related to a Cross Site Scripting vulnerability. Recommendations: For Tes...

SQL Injection

github.com/goharbor/harbor is vulnerable to SQL Injection. The vulnerability is due to the improper usage of prepared statements within the ListScanTasksByReportUUID function in task.go, which allows an attacker with administrator, projectadmin, or projectmaintainer roles to execute arbitrary SQL...

Sensitive Information Disclosure

ethycafides is vulnerable to Information Disclosure. The vulnerability is due to improper masking of nested sensitive fields such as privatekey in the BigQuery connection configuration, which allows an attacker to expose the sensitive fields in plaintext via certain API endpoints...

Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions

Now-patched authorization bypass issues impacting Cox modems could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. "This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've...

JetBrains TeamCity Permission Issues Vulnerability

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis and build problem analysis reports and other features. JetBrains TeamCity suffers from a permissions issu...

CVE-2024-36377

In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions...

CVE-2024-3319 Security implication in SailPoint Identity Security Cloud IdentityProfile API Endpoints

An issue was identified in the Identity Security Cloud ISC Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the host...

CVE-2024-33865

An issue was discovered in linqi before 1.4.0.1 on Windows. There is an NTLM hash leak via the /api/Cdn/GetFile and /api/DocumentTemplate/GUID endpoints...

CVE-2024-33865

An issue was discovered in linqi before 1.4.0.1 on Windows. There is an NTLM hash leak via the /api/Cdn/GetFile and /api/DocumentTemplate/GUID endpoints...

CVE-2022-32510

An issue in Nuki Bridge where the HTTP API admin interface was exposed over an unencrypted channel, allowing an attacker who can access the network to eavesdrop a token and impersonate a legitimate user to access the full API. Affected: Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. Root caus...

Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation

Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding AP...

PT-2024-25026 · Nautobot · Nautobot

Name of the Vulnerable Software and Affected Versions: Nautobot versions prior to 1.6.20 Nautobot versions prior to 2.2.3 Description: A Reflected Cross-Site Scripting Reflected XSS attack can be executed against users due to improper handling and escaping of user-provided query parameters in...

PT-2024-25189 · Unknown · Realisation Mgsd

Name of the Vulnerable Software and Affected Versions: Realisation MGSD version 1.0 Description: The issue allows a remote attacker to obtain sensitive information. This is achieved via the id parameter. Recommendations: For version 1.0, avoid using the id parameter in affected API endpoints unti...

Exploit for Missing Authentication for Critical Function in Jetbrains Teamcity

CVE-2023-42793 - TeamCity Admin Account Creation lead to RCE...

Porch-Pirate - The Most Comprehensive Postman Recon / OSINT Client And Framework That Facilitates The Automated Discovery And Exploitation Of API Endpoints And Secrets Committed To Workspaces, Collections, Requests, Users And Teams

Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very...

Siemens SINEC NMS Path Traversal Vulnerability (CNVD-2024-27532)

Siemens SINEC NMS is a network management system NMS from Siemens, Germany, that can be used 24/7 to centrally monitor, manage and configure industrial networks with tens of thousands of devices, including safety-related areas. A path traversal vulnerability exists in Siemens SINEC NMS versions...

PT-2024-23045 · Timber · Timber

Name of the Vulnerable Software and Affected Versions: Timber versions 1.23.0 and earlier Description: The issue is related to Deserialization of Untrusted Data, which can lead to remote code execution, especially when used with frameworks or developer code that have vulnerable POP chains. This i...