CVE-2024-50364

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G = 1.6.3, EKI-6333AC-2GD = v1.6.3 and EKI-6333AC-1GPO = v1.2.1. The source of the vulnerability relies on...

PT-2024-35092 · Fides · Fides

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.50.0 Description: The user invite acceptance API endpoint /api/v1/user/accept-invite lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation...

OPENSUSE-SU-2024:0370-1 Security update for cobbler

This update for cobbler fixes the following issues: Update to 3.3.7 Security: Fix issue that allowed anyone to connect to the API as admin CVE-2024-47533, boo1231332 bind - Fix bug that prevents cname entries from being generated successfully Fix build on RHEL9 based distributions fence-agents-al...

D-Link Routers Incorrect Use Of Privileged APIs (CVE-2024-11068)

The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Note that Nessus has not tested f...

CVE-2024-52517

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

Authentication Bypass

codechecker is vulnerable to Authentication Bypass. The vulnerability is due to improper URL handling in the API, where the endpoint ending with "/Authentication" fails to properly enforce access controls, allowing unauthorized superuser access to other API endpoints...

PT-2024-27964

Name of the Vulnerable Software and Affected Versions GLPI versions 9.2.0 through 10.0.15 Description The issue allows unauthorized download of documents from the API without appropriate rights. Recommendations Upgrade to version 10.0.16 to resolve the issue. As a temporary workaround, consider...

CVE-2024-10323

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

CVE-2024-42000 Unauthorized Access to view channels' details

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 and 10.0.x = 10.0.0 fail to properly authorize the requests to /api/v4/channels which allows a User or System Manager, with "Read Groups" permission but with no access for channels to retrieve details about private channels that...

Remote Code Execution via Model Deserialization on /api/v2/models/install API

Summary I have identified a critical vulnerability leading to remote code execution in the /api/v2/models/install API through unsafe model deserialization. The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation. This...

Mars: unauthorized access and add user and change personal information all users

The report describes a vulnerability in the ██████████ website, where unauthorized access to an API endpoint allowed attackers to add new users and modify personal information of existing users. The vulnerability was classified as Improper Access Control. The issue stemmed from the absence of...

The vulnerability of the Widget API component of the JetBrains YouTrack software tool allows a hacker to perform cross-site scripting attacks.

The vulnerability of the Widget API component of the JetBrains YouTrack software suite relates to the lack of security measures for protecting the website structure. Exploiting this vulnerability could allow attackers to perform cross-site scripting attacks...

CVE-2024-20528

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to upload files to arbitrary locations on the underlying operating system of an affected device. To exploit this vulnerability, an attacker would need valid Super Admin credentials. This vulnerability is due to...

CVE-2024-20529

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-suppli...

CVE-2024-20528

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to upload files to arbitrary locations on the underlying operating system of an affected device. To exploit this vulnerability, an attacker would need valid Super Admin credentials. This vulnerability is due to...

CVE-2024-20529

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-suppli...

CVE-2024-20527 Cisco Identity Services Engine Arbitrary File Read and Delete Vulnerability

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-suppli...

CVE-2024-20527 Cisco Identity Services Engine Arbitrary File Read and Delete Vulnerability

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-suppli...

PT-2024-18676 · Cisco · Cisco Ise

Name of the Vulnerable Software and Affected Versions: Cisco ISE versions prior to 3.3.0 Description: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. This is due to insufficient validation of...

PT-2024-18679 · Cisco · Cisco Ise

Name of the Vulnerable Software and Affected Versions: Cisco ISE affected versions not specified Description: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a...