CVE-2021-1524

A vulnerability in the API of Cisco Meeting Server could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability exists because requests that are sent to the API are not properly validated. An attacker could exploit this...

Cisco Meeting Server 输入验证错误漏洞

Cisco Meeting Server is a video conferencing solution from Cisco that combines place-based video, audio, and Web communications to meet the collaboration needs of the modern workplace. A denial of service vulnerability exists in the API for Cisco Meeting Server versions 3.1, 3.1.1. The...

Tracking Amazon delivery staff

TL; DR The Amazon delivery tracking API allows ultra-precise tracking of drivers. Amazon claim that customers can only track the driver for the 10 stops prior to theirs. This isn’t the case – one can track the driver on the entire route and all drops, including their speed on the road. This preci...

CVE-2021-0132

Missing release of resource after effective lifetime in an API for the IntelR Security Library before version 3.3 may allow a privileged user to potentially enable denial of service via network access...

HealthForYou 1.11.1 / HealthCoach 2.9.2 User Enumeration

Trovent Security Advisory 2104-01 User enumeration through API Overview Advisory ID: TRSA-2104-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2104-01 Affected product: HealthForYou & Sanitas HealthCoach mobile and web applications Tested...

HealthForYou 1.11.1 / HealthCoach 2.9.2 Account Takeover

Trovent Security Advisory 2104-02 Account takeover with only email address possible Overview Advisory ID: TRSA-2104-02 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2104-02 Affected product: HealthForYou & Sanitas HealthCoach mobile and web...

VulnCheck KEV: CVE-2021-21975

Server Side Request Forgery SSRF in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials...

Synology Video Station Video Station 代码问题漏洞

Synology Video Station is a video management center. It can manage all movies, TV shows and home videos on Synology NAS. A server-side request forgery vulnerability exists in the Synology Video Station webapi component before 2.4.10-1632, which can be exploited by a remote authenticated attacker ...

CVE-2020-26679

CVE-2020-26679 affects vFairs 3.3 and is due to insecure permissions. Any logged-in user can modify other users’ profile information or profile pictures by sending an HTTP POST with another user’s ID, potentially enabling cross-site scripting or uploading PHP webshells as profile images. User IDs...

vFairs SQL注入漏洞

vFairs is a virtual event platform by vFairs Singapore. It can host exciting online conferences, trade shows, job fairs and more. A security vulnerability exists in vFairs 3.3, which stems from the ability of any user logging into a vfair 3.3 virtual meeting or event to perform SQL injection and...

CVE-2020-9450

An issue was discovered in Acronis True Image 2020 24.5.22510. antiransomwareservice.exe exposes a REST API that can be used by everyone, even unprivileged users. This API is used to communicate from the GUI to antiransomwareservice.exe. This can be exploited to add an arbitrary malicious...

NiceHash Miner Excavator 1.6.7c Cross Site Request Forgery

NiceHash Miner Excavator API Cross-Site Request Forgery ======================================================= The latest version of this advisory is available at: https://sintonen.fi/advisories/nicehash-miner-excavator-api-csrf.txt Overview -------- NiceHash Miner Excavator plugin contains a...

openSUSE Security Update : chromium (openSUSE-2021-742)

This update for chromium fixes the following issues : Chromium 90.0.4430.212 boo1185908 - CVE-2021-30506: Incorrect security UI in Web App Installs - CVE-2021-30507: Inappropriate implementation in Offline - CVE-2021-30508: Heap buffer overflow in Media Feeds - CVE-2021-30509: Out of bounds write...

CVE-2021-1507

A vulnerability in an API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against users of the application web-based interface. This vulnerability exists because the API does not properly validate user-supplied...

Peloton’s Leaky API Spilled Riders’ Private Data

Peloton has hit a pothole. Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn’t get around to telling the researcher until he reached out to a cybersecurity journalist for some help. This is...

Xxe

A vulnerability in the REST API of Cisco Firepower Device Manager FDM On-Box Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected device. This vulnerability is due to the improper handling of XML External Entity XXE...

CVE-2020-21998

CVE-2020-21998 affects HomeAutomation 3.3.2. The issue is an open redirect due to improper verification of the 'redirect' GET parameter in api.php, allowing an attacker to redirect users to arbitrary external sites. Connected documents corroborate an open-redirect vulnerability with exploit requi...

Information disclosure

In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation...

PAN-OS: Administrator secrets are logged in web server logs when using the PAN-OS XML API incorrectly

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to...

PT-2021-11997 · Unknown +3 · Ngx Http Lua Module +3

Name of the Vulnerable Software and Affected Versions: ngx http lua module aka lua-nginx-module versions prior to 0.10.16 Description: The issue allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header. Recommendations: For versions prior to...