PT-2023-16636 · Devolutions · Devolutions Server

Name of the Vulnerable Software and Affected Versions: Devolutions Server versions 2022.3.12 and earlier Description: The issue concerns improper access controls on certain API endpoints, potentially allowing a standard privileged user to execute actions that require higher privileges...

PT-2023-1543

Name of the Vulnerable Software and Affected Versions Joomla! versions 4.0.0 through 4.2.7 Description An improper access check exists in Joomla! versions 4.0.0 through 4.2.7, allowing unauthorized access to webservice endpoints. Attackers can exploit this issue to gain access to sensitive...

SUSE CVE-2016-3723

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints...

PT-2023-2967 · Faronics · Faronics Insight

Name of the Vulnerable Software and Affected Versions: Faronics Insight version 10.0.19045 Description: An issue in Faronics Insight allows a remote attacker to communicate with private API endpoints, such as "/login", "/consoleSettings", and "/console", despite Virtual Host Routing being used to...

Improper access control

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected ...

Exploit for Argument Injection in Atlassian Bitbucket

CVE-2022-36804: Pre-Auth RCE in Atlassian Bitbucket Server A c...

PT-2023-10189 · Opendns · Opendns Openresolve

Name of the Vulnerable Software and Affected Versions: OpenDNS OpenResolve affected versions not specified Description: A problem was found in OpenDNS OpenResolve, related to the function get of the file resolverapi/endpoints.py of the component API. This issue leads to cross site scripting. The...

PT-2022-27076 · Unknown · Simmeth Lieferantenmanager

Name of the Vulnerable Software and Affected Versions: Simmeth Lieferantenmanager versions prior to 5.6 Description: An issue was discovered where an attacker can make various API calls without authentication because the password in a Credential Object is not checked. This allows unauthorized...

CVE-2022-24189

The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...

PT-2022-16529 · Unknown · Ourphoto App

Name of the Vulnerable Software and Affected Versions: Ourphoto App version 1.4.1 Description: The issue concerns the improper implementation of the user token authorization header on the /apiv1/ API endpoints. This allows an attacker to bypass authorization and session management by removing the...

Denial Of Service (DOS)

github.com/mattermost/mattermost-server is vulnerable to Denial Of Service DOS. The vulnerability exists in userstore.go because it will send multiple requests to one of the api endpoints which could fetch a large amount of data by an authenticated user to crash the server...

Remote code execution

FileCloud Versions 20.2 and later allows remote attackers to potentially cause unauthorized remote code execution and access to reported API endpoints via a crafted HTTP request...

Denial of service in Mattermost

A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data...

CVE-2022-4019

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints...

Denial of service

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints...

CVE-2022-4019 Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server

A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints...

Miele appWash Access Control Error Vulnerability

Miele appWash is a laundry room digitization app from Miele Germany. Miele appWash suffers from an Access Control Error vulnerability that stems from the use of an API endpoint to bypass authorization checks. An attacker could use this vulnerability to gain read and partial write access to data...

CVE-2022-39833

FileCloud Versions 20.2 and later allows remote attackers to potentially cause unauthorized remote code execution and access to reported API endpoints via a crafted HTTP request...

Oracle Linux 9 : grafana (ELSA-2022-8057)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-8057 advisory. - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse functions - resolve CVE-2022-1705 golang: net/http: improper sanitization of...

CVE-2022-20926

A vulnerability in the web management interface of the Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient validation of user-supplied parameters for...