CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before...

PT-2022-17167 · Candidats · Candidats

Name of the Vulnerable Software and Affected Versions: CandidATS version 3.0.0 Beta Description: The issue allows an authenticated user to inject SQL queries through specific API endpoints, including '/index.php?m=settings&a=show' via the userID parameter, '/index.php?m=candidates&a=show' via the...

PT-2022-24386 · Unknown · Eyesofnetwork

Name of the Vulnerable Software and Affected Versions: Eyes of Network affected versions not specified Description: The issue is related to improper neutralization of input during web page generation, making the Eyes of Network web application susceptible to cross-site scripting attacks. This can...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

GHSA-JWFV-5HWQ-F97R Mattermost Server exposes team invite IDs through API endpoints

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints...

CSRF vulnerability in Jenkins Swarm Plugin

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Additionally, these A...

GHSA-C264-8834-PPJ2 CSRF vulnerability in Jenkins Swarm Plugin

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Additionally, these A...

GHSA-J852-MP82-WV2G Improper permission checks in Jenkins Swarm Plugin

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent. Swarm Plugin 3.21...

Jenkins Google Compute Engine Plugin Missing Authorization vulnerability

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. Google Compute Engine Plugin 4.2.0 requires the appropriate...

GHSA-V98H-RV7J-HF6J Jenkins Google Compute Engine Plugin Missing Authorization vulnerability

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. Google Compute Engine Plugin 4.2.0 requires the appropriate...

CVE-2022-1505

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive informati...

CVE-2021-39390

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter...

CVE-2021-39390

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter...

Cross site scripting

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter...

CVE-2021-39390

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter...

Shopify: Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps

Summary: Custom Apps - Permissions The store owner, collaborators and staff members can create, edit and install custom apps for their shopify store. Therefor, these users need multiple permissions. The permissions View apps developed by staff and collaborators Develop apps and Manage and install...

Server side request forgery (ssrf)

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints...

CVE-2022-29556

CVE-2022-29556 affects the iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2. The vulnerability arises from the Azure IoT Hub integration, which exposes SSRF primitives that can be used to execute cross-tenant actions via internal API endpoints. This leads to potentia...

CVE-2022-29556

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints...

Northern.tech Mender Enterprise 代码问题漏洞

Northern.tech Mender Enterprise is a wireless update manager for IoT devices from Northern.tech. A security vulnerability exists in Northern.tech Mender Enterprise prior to version 3.2.2, which stems from the iot-manager microservice 1.0.0 that allows SSRF because the Azure IoT Hub integration...