Design/Logic Flaw

Mercedes-Benz XENTRY Retail Data Storage 7.8.1 allows remote attackers to cause a denial of service device restart via an unauthenticated API request. The attacker must be on the same network as the device...

CVE-2023-23590

Mercedes-Benz XENTRY Retail Data Storage 7.8.1 allows remote attackers to cause a denial of service device restart via an unauthenticated API request. The attacker must be on the same network as the device...

Account takeover via changing password

Description after login with normal user go to Settings then change password ,you will find the following request PATCH /api/user/104 HTTP/2 Host: demo.usememos.com Cookie:...

Design/Logic Flaw

A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows...

Debian dla-3109 : nova-api - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3109 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3109-1 [email protected] https://www.debian.org/lts/security/...

CVE-2022-38771

The mobile application in Transtek Mojodat FAM Fixed Asset Management 2.4.6 allows remote attackers to send SCRIPT tags as injected input to the API request...

Cross site request forgery (csrf)

The mobile application in Transtek Mojodat FAM Fixed Asset Management 2.4.6 allows remote attackers to send SCRIPT tags as injected input to the API request...

CVE-2022-38771

The mobile application in Transtek Mojodat FAM Fixed Asset Management 2.4.6 allows remote attackers to send SCRIPT tags as injected input to the API request...

CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

MAL-2022-640 Malicious code in @thrift-api/request (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc7c546cee9e2a91fe9d45f7f261892c3bfb7d979a727786c4f77d1ac0be7e16 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @thrift-api/request (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc7c546cee9e2a91fe9d45f7f261892c3bfb7d979a727786c4f77d1ac0be7e16 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-8RP6-X3R7-5QW3 SaltStack Salt is vulnerable to shell injection via ProxyCommand argument

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

SaltStack Salt is vulnerable to shell injection via ProxyCommand argument

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

CVE-2022-22434

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

Cross site request forgery (csrf)

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

CVE-2022-22434

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434)

Summary IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects Vulnerability Details CVEID: CVE-2022-22434 DESCRIPTION: IBM Robotic Process Automation could allow a user with physical access to create an API request...

CVE-2021-3523

3scale APICast (Red Hat 3scale) is affected in versions prior to 2.11.0. The root cause is incorrect reuse of connections, enabling an attacker to bypass API security restrictions when hosting multiple APIs on the same IP. CVSS v3.1 base score is 7.5 (HIGH); exploitation details are not provided....

CVE-2021-41594

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieve...

Cross site request forgery (csrf)

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieve...