PT-2024-18674 · Cisco · Cisco Ise

Name of the Vulnerable Software and Affected Versions: Cisco ISE affected versions not specified Description: A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. This issue is due to insufficient validatio...

Improper Access Control

Umbraco is vulnerable to Improper Access Control. The vulnerability is due to insufficient restrictions on API access and is caused by improper access control in the webhook API, allows low-privilege users to retrieve information that should be accessible only to users with settings section...

CVE-2024-7456

A SQL injection vulnerability exists in the /api/v1/external-users route of lunary-ai/lunary version v1.4.2. The order by clause of the SQL query uses sql.unsafe without prior sanitization, allowing for SQL injection. The orderByClause variable is constructed without server-side validation or...

CVE-2024-7456

A SQL injection vulnerability exists in the /api/v1/external-users route of lunary-ai/lunary version v1.4.2. The order by clause of the SQL query uses sql.unsafe without prior sanitization, allowing for SQL injection. The orderByClause variable is constructed without server-side validation or...

CVE-2024-39719

An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the...

CVE-2024-39719

CVE-2024-39719 affects Ollama up to version 0.3.14. The vulnerability arises in the /api/create CreateModel path handling, where querying a non-existent path triggers server error messages that disclose file existence, enabling an attacker to probe for files on the server. Public documentation ac...

How to Mitigate the Latest API Vulnerability in FortiManager

Overview of the FortiManager API Vulnerability Recently, a critical API vulnerability in FortiManager CVE-2024-47575 was disclosed. Certain threat actors exploited it in the wild to steal sensitive information containing configurations, IP addresses, and credentials used by managed devices. In...

CVE-2024-48931

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

Mars: Insecure API Response Leads to Disclosure of Hashed Passwords

A security vulnerability was identified in the API of ████████. The endpoint ████████ was found to return sensitive user information, including hashed passwords, in its response. This exposure presented a significant security risk, as it potentially allowed unauthorized access to user credentials...

CVE-2024-9143

Issue summary: Use of the low-level GF2^m elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution,...

PT-2024-38041 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version v0.3.8 Description: An Insecure Direct Object Reference IDOR vulnerability exists, occurring in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update. The decentralization design is flawed, allowing...

CVE-2024-20432

A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller NDFC could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device. This vulnerability is due to improper user authorization and insufficient...

CVE-2024-20442 Cisco Nexus Dashboard Unauthorized API Endpoints Vulnerability

A vulnerability in the REST API endpoints of Cisco Nexus Dashboard could allow an authenticated, low-privileged, remote attacker to perform limited Administrator actions on an affected device. This vulnerability is due to insufficient authorization controls on some REST API endpoints. An attacker...

Proxmox Virtual Environment 安全漏洞

Proxmox Virtual Environment Proxmox VE is an open source server virtualization environment Linux distribution from Proxmox. A security vulnerability exists in Proxmox Virtual Environment, which stems from insufficient protection against malicious API response values, and allows an authenticated...

The vulnerability of the application programming interface of the Cisco Identity Services Engine (ISE) management platform allows a perpetrator to gain unauthorized access to and modify protected information.

The vulnerability of the application programming interface of the Cisco Identity Services Engine ISE management platform relates to the lack of protective measures for the SQL query structure. Exploiting this vulnerability may allow a malicious actor, operating remotely, to gain unauthorized acce...

CVE-2024-8522 LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'conlyfields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of...

PT-2024-10394 · Cisco · Cisco Optical Site Manager +3

Name of the Vulnerable Software and Affected Versions: Cisco Crosswork Network Services Orchestrator NSO affected versions not specified Cisco ConfD affected versions not specified Cisco Optical Site Manager affected versions not specified Cisco RV340 Dual WAN Gigabit VPN Routers affected version...

PT-2024-39073

Name of the Vulnerable Software and Affected Versions: LearnPress – WordPress LMS Plugin versions up to 4.2.7 Description: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the c only fields parameter of the "/wp-json/learnpress/v1/courses" REST API...

CVE-2024-42759

Ellevo v6.2.0.38160 contains a privilege-escalation issue exploitable via the /api/usuario/cadastrodesuplente endpoint. The vulnerability permits a remote attacker to escalate privileges, with impact on confidentiality, integrity, and availability described as HIGH/HIGH/LOW respectively (per CVSS...