CVE-2024-41110

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being...

CVE-2024-41110 Moby authz zero length regression

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being...

CVE-2024-41110 Moby authz zero length regression

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being...

Exploit for Command Injection in Nginxui Nginx_Ui

CVE-2024-22198 - authenticated remote code execution in Nginx-...

CVE-2024-5812 Smart Rule Overwrite Bypass in BeyondInsight PasswordSafe

A low severity vulnerability in BIPS has been identified where an attacker with high privileges or a compromised high privilege account can overwrite Read-Only smart rules via a specially crafted API request...

CVE-2024-5812

CVE-2024-5812 affects BeyondInsight PasswordSafe (BIPS) where an attacker with high privileges or a compromised high-privilege account can overwrite Read-Only smart rules via a specially crafted API request. Root cause is described as a bypass of smart rule protection enabling modification by aut...

BeyondInsight Security Breach

BeyondInsight is a Privileged Access Management PAM reporting platform from BeyondTrust USA. BeyondInsight suffers from a security vulnerability that stems from an attacker with an elevated privilege account being able to override read-only smart rules via a specially crafted API request...

Mirth Connect deserialization vulnerability

Added: 05/23/2024 Background Mirth Connect is an application which translates message standards for healthcare systems. Problem A deserialization vulnerability in Mirth Connect allows remote attackers to execute arbitrary commands by sending a specially crafted API request. Resolution Upgrade to...

GHSA-7V7M-PCW5-H3CG Pusher Service Channel Authentication Bypass

The service offered by Pusher provides "private" channels with an authentication mechanism that restricts subscription access. The decision on allowing subscriptions to private channels is delegated to customers, who implement an authentication endpoint. End-users request a token from this endpoi...

Unspecified Vulnerability in Apache Superset (CNVD-2024-24409)

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. A security vulnerability exists in Apache Superset versions prior to 3.1.2, which can be exploited by an authenticated attacker to access metadata from data sources they are not authorized to vie...

CVE-2024-34695 WOWS Karma vulnerable to a post submission bounce/timing attack

WOWS Karma is a reputation system for Wargaming's World of Warships. A user is able to click multiple times on "create" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously reques...

CVE-2024-23186

E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer...

GHSA-PVXJ-25M6-7VQR Rancher Privilege escalation vulnerability via malicious "Connection" header

A vulnerability was discovered in Rancher 2.0.0 through the aforementioned patched versions, where a malicious Rancher user could craft an API request directed at the proxy for the Kubernetes API of a managed cluster to gain access to information they do not have access to. This is done by passin...

CVE-2024-32872 Umbraco Workflow's Backoffice users can execute arbitrary SQL

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6,...

Nozomi Networks Guardian/CMC 安全漏洞

Nozomi Networks Guardian/CMC is a centralized management console from Nozomi Networks, USA. A security vulnerability exists in Nozomi Networks Guardian/CMC versions prior to v23.4.1 that stems from an audit log of an OpenAPI request that may contain sensitive information, which could lead to...

Apache CloudStack Security Bypass Vulnerability

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from a security bypass vulnerability that...

CVE-2024-29006 Apache CloudStack: x-forwarded-for HTTP header parsed by default

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrad...

Graylog vulnerable to instantiation of arbitrary classes triggered by API request

Summary Arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/clusterconfig/ endpoint. Details Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads...

CVE-2024-24824 graylog2-server vulnerable to instantiation of arbitrary classes triggered by API request

Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/clusterconfig/ endpoint. Graylog's cluster config system uses fully qualified class...

Gradio Path Traversal vulnerability

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request...