CVE-2014-7814

SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine CFME 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter...

Sql injection

SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine CFME 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter...

X (Formerly Twitter): fabric.io - app member can make himself an admin

Let say, Alice is a member of TestApp. - Log into fabric.io as Alice and navigate to settings. - Click on Apps and choose TestApp. - Click on team members link and notice that Alice role is Member. Clicking on team members link sends a similar request as shown below. GET...

X (Formerly Twitter): [Stored XSS] vine.co - profile page

Stored XSS via API request: While creating new account in Windows mobile app, i noticed this request: PUT /users/1147563919679037440 HTTP/1.1 avatarUrl=https%3A%2F%2Fvines.s3.amazonaws.com%2Favatarstrellis%2F2014%2F11%2F21%2F0B2EAE2EB811475639291495546881.3.4.jpg&username= it seems that the...

CVE-2014-3708

OpenStack Compute Nova before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service CPU consumption via an IP filter in a list active servers API request...

CVE-2014-2021

Cross-site scripting XSS vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name...

Cross site scripting

Cross-site scripting XSS vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name...

CVE-2014-2021

CVE-2014-2021 describes a persistent cross-site scripting (XSS) vulnerability in vBulletin’s AdminCP/ApiLog via the XMLRPC API. Affected products are vBulletin 4.x and 5.x (to date), with testing/verification noting versions up to 4.2.2 and 5.0.x, including 5.0.5. The root cause is improper sanit...

CVE-2014-2022

SQL injection vulnerability in includes/api/4/breadcrumbscreate.php in vBulletin 4.2.2, 4.2.1, 4.2.0 PL2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the conceptid argument in an xmlrpc API request...

Cross site request forgery (csrf)

The external node classifier ENC API in Foreman before 1.1 allows remote attackers to obtain the hashed root password via an API request...

CVE-2013-6391

The ec2tokens API in OpenStack Identity Keystone before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2toke...

Cross site request forgery (csrf)

app/controllers/api/v1/hostscontroller.rb in Foreman before 1.2.2 does not properly restrict access to hosts, which allows remote attackers to access arbitrary hosts via an API request...

VMSA-2012-0016:VMware security updates for vSphere API and ESX Service Console

VMSA-2012-0016 VMware security updates for vSphere API and ESX Service Console VMware Security Advisory VMware Security Advisory Advisory ID: VMSA-2012-0016 VMware Security Advisory Synopsis: VMware security updates for vSphere API and ESX Service Console VMware Security Advisory Issue date:...