CVE-2022-1609

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site...

CVE-2025-2356

A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely...

CVE-2025-2335

A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated...

CVE-2025-2356

A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely...

CVE-2025-2356 BlackVue App API deviceDelete get request method with sensitive query strings

A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely...

CVE-2025-2335

A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated...

CVE-2025-2335

CVE-2025-2335 affects Drivin Soluções up to 20250226. The vulnerability is an XSS in the API Handler’s /api/school/registerSchool, caused by manipulation of the message argument. It can be exploited remotely and the exploit has been disclosed publicly. Affected component is the API Handler; root ...

CVE-2025-2335 Drivin Soluções API registerSchool cross site scripting

A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated...

CVE-2025-2124

A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/changepassword of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to...

CVE-2025-2124

A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/changepassword of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to...

CVE-2025-2124

CVE-2025-2124 affects Control iD RH iD 25.2.25.0. The issue resides in the API handler, specifically the file path /v2/customerdb/person.svc/change_password, where manipulation of the argument message leads to cross-site scripting. It can be initiated remotely and the exploit has been disclosed p...

CVE-2025-2124 Control iD RH iD API change_password cross site scripting

A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/changepassword of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to...

CVE-2024-6893

The "soapcgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources...

CVE-2024-6893

The "soapcgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources...

CVE-2024-6893

Journyx CVE-2024-6893 is an XML External Entity (XXE) vulnerability in the soap_cgi.pyc API handler of Journyx 11.5.4. An unauthenticated attacker can send SOAP requests with XML references to external entities, enabling reading local files, SSRF, and DoS by resource exhaustion. The connected Kor...

PT-2024-37934

Name of the Vulnerable Software and Affected Versions soap cgi.pyc affected versions not specified Description The issue allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources by including references to external entities...

(Pwn2Own) Synology BC500 update_ntp_config Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology BC500 IP cameras. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the server parameter provided to the syno-api handler. T...

Fortinet FortiWeb Path traversal in API handler (FG-IR-22-136)

The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-22-136 advisory. - A relative path traversal vulnerability CWE-23 in FortiWeb 7.0.0 through 7.0.1, 6.3.6 through 6.3.18, 6.4 all versions may...

Email Validation Bypass And Preventing Sign Up From Email's Owner

Summary Email validation can easily be bypassed because verifyemailenabled option enable email validation at sign up only. A user changing it's email after signing up and verifying it can change it without verification in /profile. This can be used to prevent legitimate owner of the email address...

CVE-2023-33237

TN-5900 Series firmware version v3.3 and prior is vulnerable to improper-authentication vulnerability. This vulnerability arises from inadequate authentication measures implemented in the web API handler, allowing low-privileged APIs to execute restricted actions that only high-privileged APIs ar...