CVE-2022-45932

A SQL injection issue was discovered in AAA in OpenDaylight ODL before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used...

CVE-2022-45932

A SQL injection issue was discovered in AAA in OpenDaylight ODL before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used...

CVE-2022-45931

A SQL injection issue was discovered in AAA in OpenDaylight ODL before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java deleteUser function is affected when the API interface /auth/v1/users/ is used...

CVE-2022-45931

A SQL injection issue was discovered in AAA in OpenDaylight ODL before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java deleteUser function is affected when the API interface /auth/v1/users/ is used...

The Reciprocal Value of Access to Maintainers

Last May I left Google to build a more sustainable model for Open Source maintenance. After a summer break, I resumed my maintenance work on the Go project in September, and I started offering my services to companies that rely on Go. My vision is that of Open Source maintenance as a real...

GHSA-QHH5-9738-G9MX Incorrect Default Permissions in Apache DolphinScheduler

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface...

GHSA-PVH2-PJ76-4M96 Specification non-compliance in JUMPI

Impact In evm crate 0.31.0, JUMPI opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Patches This is a high severity security advisory if you use evm crate for...

Specification non-compliance in JUMPI

Impact In evm crate 0.31.0, JUMPI opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Patches This is a high severity security advisory if you use evm crate for...

Cisco Application Policy Infrastructure Controller 安全漏洞

Cisco Application Policy Infrastructure Controller APIC is an automated infrastructure deployment and governance solution from Cisco.Cisco Application Policy Infrastructure Controller's API endpoint contains an arbitrary file read/write vulnerability, which can be exploited by an attacker to read...

Huaxia ERP system has information leakage vulnerability

Huaxia ERP based on the SpringBoot framework and SaaS model for small and medium-sized enterprises to provide open source ERP software , currently focusing on sales and inventory financial production functions . Huaxia ERP system has an information leakage vulnerability that can be exploited by...

Sipwise C5 NGCP CSC Cross Site Request Forgery

Sipwise C5 NGCP CSC CSRF Click2Dial Exploit Vendor: Sipwise GmbH Product web page: https://www.sipwise.com Affected version: =CEm39.3.1 NGCP wwwadmin version 3.6.7 Summary: Sipwise C5 also known as NGCP - the Next Generation Communication Platform is a SIP-based Open Source Class 5 VoIP soft-swit...

Anhui Xufan Information Technology Co., Ltd. EasyGBS has unauthorized access vulnerability

Anhui Xufan Information Technology Co., Ltd. is located in the high-tech zone of Hefei City, Anhui Province, a high-tech enterprise focusing on the field of streaming media audio and video. Ltd. EasyGBS exists unauthorized access vulnerability, attackers can use the vulnerability unauthorized...

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the DOCID parameter on the TAktifBankObject operation GetOrder to inject arbitrary SQL statements into...

CVE-2020-13922

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface...

Default credentials

Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface...

CVE-2020-13922

CVE-2020-13922 affects Apache DolphinScheduler prior to 1.3.2. An ordinary user under any tenant can override another user’s password via the API interface. Connected documents corroborate the same description across multiple sources (Red Hat, OSV, GHSA, CVE records). The exact remediation steps ...

Grandstream UCM6200 Series OS Command Injection Vulnerability (CNVD-2020-44352)

The Grandstream UCM6200 is an enterprise-class switch for IP telephony communications from Grandstream. An OS command injection vulnerability exists in the Grandstream UCM6200 series versions 1.0.20.23 and earlier. This vulnerability can be exploited by an attacker to execute commands as root by...

QIWI: SQL injection on contactws.contact-sys.com in TRateObject.AddForOffice in USER_ID parameter leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the USERID parameter of the TRateObject.AddForOffice method to inject arbitrary SQL statements. This...

QIWI: SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the SCENID parameter to inject arbitrary SQL statements into the WHERE clause of the underlying SQL...

QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete"

Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the ID parameter to inject arbitrary SQL statements into the underlying prepared statement. This leads ...