CVE-2024-45442

Vulnerability of permission verification for APIs in the DownloadProviderMain module Impact: Successful exploitation of this vulnerability will affect availability...

PT-2024-31689 · Unknown · Symphony Xts Mobile Trading +1

Name of the Vulnerable Software and Affected Versions: Symphony XTS Web Trading and Mobile Trading platforms version 2.0.0.1 P160 Description: This issue exists due to improper access controls on APIs in the Authentication module. An authenticated remote attacker could exploit this by manipulatin...

PT-2024-7016 · Tp Link · Tp-Link Wr941Nd

Name of the Vulnerable Software and Affected Versions: TP-Link WR941ND V6 Description: The issue is related to a stack overflow vulnerability in the ssid parameter in the "/userRpm/popupSiteSurveyRpm.htm" API endpoint. This vulnerability can be exploited by sending a specially crafted POST reques...

PT-2024-41039 · Unknown · Knowledge Space

Name of the Vulnerable Software and Affected Versions: Knowledge Space affected versions not specified Description: The issue is related to a lack of user permission checks in the Knowledge Space integrated planning platform's application programming interface. This could allow a remote attacker ...

GHSA-FCCX-2PWJ-HRQ7 Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to...

Improper Authorization

bostr is vulnerable to Improper Authorization.The vulnerability is due improper validation which lets any user access the api even when the authorizedkeys and noscraper is set to true. Attackers can exploit this by gaining access to the relay without proper authorization...

gotortc vulnerable to Cross-Site Request Forgery

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The /api/config endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an...

Weave server API vulnerable to arbitrary file leak

The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin...

CVE-2024-7340

The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin...

CVE-2024-40633

Summary: CVE-2024-40633 affects Sylius (Symfony-based) in the /api/v2/shop/adjustments/{id} endpoint. The flaw enables an attacker to enumerate valid adjustment IDs and retrieve order tokens, potentially exposing sensitive guest customer order details. Affected/Root cause: Unauthenticated access ...

Siemens SINEMA Remote Connect Server 安全漏洞

Siemens SINEMA Remote Connect Server is a remote network management platform from Siemens, Germany. The platform is used to remotely access, maintain, control and diagnose the underlying network. A security vulnerability exists in Siemens SINEMA Remote Connect Server because the affected...

The vulnerability of the CRI-O Container Engine’s application programming interface allows a malicious actor to read and write arbitrary files on the host system.

The vulnerability of the CRI-O Container Engine’s application programming interface relates to the creation of a symbolic link that points to any directory or file on the host system, through traversing directories. Exploiting this vulnerability allows an attacker to read and write arbitrary file...

CVE-2024-37145 GHSL-2023-247: Flowise xss in /api/v1/chatflows-streaming/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used unauthenticated, an attacker may be able...

CVE-2024-36423 GHSL-2023-246: Flowise xss in /api/v1/public-chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to...

CVE-2024-36422 GHSL-2023-245: Flowise xss in api/v1/chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craft a...

CVE-2024-36420 GHSL-2023-232: Flowise Path Injection at /api/v1/openai-assistants-file

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this...

MAL-2024-1761 Malicious code in api-discord-type (npm)

--- -= Per source details. Do not edit below this line.=-...

SUSE-FU-2024:2078-1 Feature update for rabbitmq-server313, erlang26, elixir115

This update for rabbitmq-server313, erlang26, elixir115 fixes the following issues: rabbitmq-server was implemented with a parallel versioned RPM package at version 3.13.1 jscPED-8414: - Security issues fixed: CVE-2021-22116: Fixed improper input validation that may lead to Denial of Sercice DoS...

The vulnerability of the LDAP URL parser component in the Apache Directory LDAP API software allows a malicious actor to cause service failure.

The vulnerability of the LDAP URL parser component in Apache Directory LDAP API is related to the lack of control over the data entered by users. Exploiting this vulnerability can allow a malicious actor to cause service failures remotely...

CVE-2024-5685

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1...