798 matches found
CommScope Ruckus IoT Controller 1.7.1.0 Unauthenticated API Endpoints
KL-001-2021-001: CommScope Ruckus IoT Controller Unauthenticated API Endpoints Title: CommScope Ruckus IoT Controller Unauthenticated API Endpoints Advisory ID: KL-001-2021-001 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-001.txt 1...
CVE-2021-21430
OpenAPI Generator allows generation of API client libraries SDK generation, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data...
CVE-2021-21430
OpenAPI Generator contains a vulnerability where code generated for Java/Scala performs insecure temporary file creation via File.createTempFile, risking exposure of application/data when handling binary uploads/downloads. Affected generators include Java (jersey2, okhttp-gson default) and scala-...
Kiterunner - Contextual Content Discovery Tool
For the longest of times, content discovery has been focused on finding files and folders. While this approach is effective for legacy web servers that host static files or respond with 3xx’s upon a partial path, it is no longer effective for modern web applications, specifically APIs. Over time,...
Cisco SD-WAN vManage Information Disclosure (cisco-sa-sd-wan-vmanage-9VZO4gfU)
According to its self-reported version, Cisco SD-WAN Viptela Software is affected by an information disclosure vulnerability due to improper access controls on API endpoints when running in multi-tenant mode. An unauthenticated, adjacent attacker can exploit this, by sending a request to an...
CVE-2021-29490
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery SSRF attacks via the imageUrl parameter. This issue potentially exposes both internal and...
CVE-2021-1515
A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. This vulnerability is due to improper access controls on API endpoints when Cisco SD-WAN vManage Software is running in multi-tenant mode. An attacker with...
CVE-2021-1515
A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. This vulnerability is due to improper access controls on API endpoints when Cisco SD-WAN vManage Software is running in multi-tenant mode. An attacker with...
Server side request forgery (ssrf)
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery SSRF attacks via the imageUrl parameter. This issue potentially exposes both internal and...
Improper access control
A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. This vulnerability is due to improper access controls on API endpoints when Cisco SD-WAN vManage Software is running in multi-tenant mode. An attacker with...
CVE-2021-1515 Cisco SD-WAN vManage Information Disclosure Vulnerability
A vulnerability in Cisco SD-WAN vManage Software could allow an unauthenticated, adjacent attacker to gain access to sensitive information. This vulnerability is due to improper access controls on API endpoints when Cisco SD-WAN vManage Software is running in multi-tenant mode. An attacker with...
CVE-2021-20990
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode...
CVE-2021-20990
Fibaro Home Center 2 and Lite devices with firmware 4.600 and older expose an internal management service on port 8000 that can be accessed without authentication to trigger shutdown, reboot, or reboot into recovery mode. A fix is available in newer firmware (e.g., 4.610); implementing an upgrade...
PT-2021-14319 · Fibaro · Fibaro Home Center Lite +1
Name of the Vulnerable Software and Affected Versions: Fibaro Home Center 2 and Lite versions 4.600 and older Description: The issue concerns an internal management service accessible on port 8000, where certain API endpoints can be accessed without authentication. This allows unauthorized action...
PT-2021-14479 · Jellyfin · Jellyfin
Name of the Vulnerable Software and Affected Versions: Jellyfin versions prior to 10.7.1 Description: The issue allows arbitrary file read from a Jellyfin server's file system with well-crafted requests to certain "API Endpoints". This is more prevalent when Windows is used as the host OS. Server...
Cross site request forgery (csrf)
The CSRF Cross Site Request Forgery token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version 10.6...
Cisco Data Center Network Manager Configuration Bypass Vulnerability
Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A configuration bypass vulnerability exists in one of the REST API endpoints in...
CVE-2021-1247
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager DCNM could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory...
CVE-2021-21471
In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application...
Improper access control
In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application...