CVE-2022-36037

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

PT-2022-23356 · Zoho · Zoho Manageengine Supportcenter Plus

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine SupportCenter Plus versions prior to 11023 Description: The issue concerns authentication bypass in V3 API requests. This means an API request can be executed with the credentials of a user who authenticated in the past...

Authcov - Web App Authorisation Coverage Scanning

Web app authorisation coverage scanning. Introduction AuthCov crawls your web application using a Chrome headless browser while logged in as a pre-defined user. It intercepts and logs API requests as well as pages loaded during the crawling phase. In the next phase it logs in under a different us...

Vulnerability fixed in Adobe RoboHelp Server

Adobe has fixed a vulnerability in RoboHelp Server. A malicious party, with prior authentication and user authorization, could potentially exploit the vulnerability to grant themselves elevated privileges. The malicious party can through manipulation of API requests, perform actions that are...

APSB22-31 : Security hotfix available for RoboHelp Server

Adobe has released a security hotfix for RoboHelp Server 11 Update 3, and prior releases. This hotfix resolves a security vulnerability that allows end users with non-administrative privileges to manipulate API requests and elevate their account privileges to that of a server administrator. This...

Guzzle Information Disclosure Vulnerability

Guzzle is a PHP HTTP client for guzzle individual developers that makes it easy to send HTTP requests and easily integrate with web services. An information disclosure vulnerability exists in Guzzle versions prior to 7.4.3, and prior to 6.5.6, which stems from a vulnerability that allows a...

OpenStack Neutron Denial of Service vulnerability

An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API...

GHSA-Q3X9-28F7-W8RC Total.js CMS Unauthorized Access

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with limited privileges can get access to a resource that they do not own by calling the associated API. The product correctly manages privileges only for the front-end resource path, not for API requests. This leads to vertica...

OpenStack Compute (Nova) allows remote authenticated users to gain privileges via API requests

The Nova EC2 API security group implementation in OpenStack Compute Nova 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for 1 addrules, 2 removerules, 3 destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows...

GHSA-QV62-XFJ6-32XM RubyGems Improper Input Validation vulnerability

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.3.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original...

IBM Robotic Process Automation has an unspecified vulnerability (CNVD-2022-63370)

IBM Robotic Process Automation is a robotic process automation product from IBM, Inc. It helps you automate more business and IT processes at scale with the ease and speed of traditional RPA. IBM Robotic Process Automation suffers from a security vulnerability that could be exploited by an attack...

Cross-Site Scripting (XSS)

actionpack is vulnerable to cross-site scripting. The vulnerability exists in call function in contentsecuritypolicy.rb because the API requests are not sent along with CSP headers but responses which allows an attacker to inject and execute javascript...

Cross-site Scripting Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: = 5.2.0 Not affected: 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Impact CSP headers were only sent along with responses that Rails...

Design/Logic Flaw

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent DSA has Remote Code Execution vulnerabilities in multiple instances of the API requests. The affected endpoints do not have any input validation of the user's input that allowed a malicious payload to be injected...

CVE-2022-0732

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...

CVE-2022-0732

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...

GHSA-RCWJ-2HJ2-VMJJ Insufficient Session Expiration in Apache NiFi Registry

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging ou...

Insufficient Session Expiration in Apache NiFi Registry

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging ou...

Ultimaker 3D printer 跨站请求伪造漏洞

The Ultimaker 3D printer is a series of powerful, professional 3D printers from the Dutch company Ultimaker. A security vulnerability exists in the Ultimaker 3D printer that originates from local web servers hosting APIs that are vulnerable to CSRF attacks. They do not validate incoming requests...