Cross site scripting

The affected product DIAEnergie versions prior to v1.9.01.002 is vulnerable to a stored cross-site scripting vulnerability through the PostEnergyType API...

PT-2022-26004 · Unknown · Diaenergie

Name of the Vulnerable Software and Affected Versions: DIAEnergie versions prior to v1.9.01.002 Description: The issue concerns a stored cross-site scripting vulnerability. This vulnerability can be exploited through the SetPF API. Recommendations: For versions prior to v1.9.01.002, update to...

PT-2022-7016 · Cisco · Cisco Unified Communications Products

Name of the Vulnerable Software and Affected Versions: Cisco Unified Communications Products affected versions not specified Description: A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU...

Denial of service

A denial of service vulnerability exists in the webserver hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.This denial of service is in the...

CVE-2022-35265

A denial of service vulnerability exists in the webserver hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.This denial of service is in the...

CVE-2022-35262

A denial of service vulnerability exists in the webserver hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.This denial of service is in the...

Heimdal GSSAPI 安全漏洞

Heimdal GSSAPI is the General Security Service Application Program Interface for Heimdal Individual Developers. A security vulnerability exists in Heimdal GSSAPI that stems from a possible buffer overflow on malloc allocated memory by the DES and 3-DES decoding methods...

CVE-2022-31366

An arbitrary file upload vulnerability in the apiImportLabs function in apilabs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file...

PT-2022-26712 · Tenda · Tenda Tx3

Name of the Vulnerable Software and Affected Versions: Tenda TX3 version US TX3V1.0br V16.03.13.11 multi TDE01 Description: A stack overflow issue was discovered via the timeZone parameter at the "/goform/SetSysTimeCfg" API endpoint. Recommendations: For Tenda TX3 version US TX3V1.0br V16.03.13.1...

PT-2022-26709 · Tenda · Tenda Tx3

Name of the Vulnerable Software and Affected Versions: Tenda TX3 US TX3V1.0br V16.03.13.11 multi TDE01 Description: A stack overflow issue was discovered via the startIp parameter at the "/goform/SetPptpServerCfg" API endpoint. Recommendations: For Tenda TX3 US TX3V1.0br V16.03.13.11 multi TDE01,...

PT-2022-25895 · Unknown · Billing System Project

Name of the Vulnerable Software and Affected Versions: Billing System Project version 1.0 Description: A SQL injection issue was found in the Billing System Project. The vulnerability can be exploited via the id parameter at the "/phpinventory/editbrand.php" API endpoint. Recommendations: For...

PT-2022-26292 · Tenda · Tenda Ac10

Name of the Vulnerable Software and Affected Versions: Tenda AC10 version 15.03.06.23 Description: The issue is related to a stack overflow vulnerability. This vulnerability can be exploited via the API endpoint "/goform/formSetSpeedWan". Recommendations: For Tenda AC10 version 15.03.06.23, as a...

MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]

Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: Amogelang...

PT-2022-18934 · Unknown · Octopus Server

Name of the Vulnerable Software and Affected Versions: Octopus Server affected versions not specified Description: The issue allows revealing information about teams via the API due to an Insecure Direct Object Reference IDOR vulnerability. Recommendations: At the moment, there is no information...

CVE-2022-36068 Discourse moderators can edit themes via the API

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in...

LinkedIn: Unauthorized User can View Subscribers of Other Users Newsletters

A vulnerability existed in the LinkedIn Voyager platform that allowed unauthorized users to view the subscriber list and details of other users' newsletters by replaying a vulnerable request using the victim's NewsletterId. This was due to missing server-side authorization checks on a specific AP...

Code injection

The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=$userId”...

PT-2022-15496 · Carlo Gavazzi · Carlo Gavazzi Uwp3.0

Name of the Vulnerable Software and Affected Versions: Carlo Gavazzi UWP3.0 affected versions not specified CPY Car Park Server version 2.8.3 Description: A missing authentication issue allows for full access via the API. This affects Carlo Gavazzi UWP3.0 and CPY Car Park Server, enabling...

PT-2022-25200 · Unknown · Online Tours & Travels Management System

Name of the Vulnerable Software and Affected Versions: Online Tours & Travels Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the id parameter at the "/admin/update expense.php" API endpoint. Recommendations...

CVE-2022-32229

CVE-2022-32229 affects Rocket.Chat prior to 5.x, caused by lack of sanitization in the /api/v1/chat.getThreadsList endpoint. This MongoDB injection flaw can disclose private thread messages to unauthorized users, as demonstrated by the HackerOne report and multiple CVE references. The issue impac...