CVE-2025-20075

Server-side request forgery SSRF vulnerability exists in FileMegane versions above 3.0.0.0 prior to 3.4.0.0. Executing arbitrary backend Web API requests could potentially lead to rebooting the services...

CVE-2024-32838

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter. Users are recommended to upgrade to...

CVE-2023-32741

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in IT Path Solutions PVT LTD Contact Form to Any API allows SQL Injection.This issue affects Contact Form to Any API: from n/a through 1.1.2...

CVE-2025-0466

The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak senseiemail and senseimessage Information...

CVE-2024-52882

An issue was discovered in AudioCodes One Voice Operations Center OVOC before 8.4.582. Due to improper neutralization of input via the devices API, an attacker can inject malicious JavaScript code XSS to attack logged-in administrator sessions...

Vulnerabilities fixed in Cisco Identity Services Engine

Cisco has fixed vulnerabilities in Cisco Identity Services Engine ISE. The vulnerabilities are in the API of Cisco ISE, which allows an authenticated remote malicious person to execute arbitrary commands as the root user through insecure deserialization of Java byte streams. All of these...

CVE-2025-20156

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could...

CVE-2022-36068

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched in...

CVE-2025-20125

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation o...

CVE-2025-20125

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation o...

CVE-2025-20125

Cisco ISE (Identity Services Engine) vulnerability CVE-2025-20125 affects the API layer and is tied to multiple issues including insecure Java deserialization and inadequate authorization. An attacker with valid read-only credentials can remotely access the device to obtain sensitive information,...

CVE-2025-20125 Cisco Identity Services Engine Insufficient Authorization Bypass Vulnerability

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation o...

CVE-2025-20124 Cisco Identity Services Engine Java Deserialization Vulnerability

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit...

CVE-2025-20124

Cisco Identity Services Engine (ISE) exposes a vulnerability via insecure Java deserialization in its API. An authenticated attacker with valid read-only credentials can send a crafted serialized Java object to the affected API to execute arbitrary commands on the device with root privileges, pot...

CVE-2020-15269

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory...

CVE-2024-49348

IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows restricting access to organizational data to valid contexts. The fact that tasks of type comment can be reassigned via API implicitly...

CVE-2024-7628

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verifyidtoken' function. This makes it possible for unauthenticated attackers to...

CVE-2024-29023

Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be...

BIT-SUPERSET-2024-24772 Apache Superset: Improper Neutralisation of custom SQL on embedded context

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, whi...

CVE-2024-45392

SuiteCRM is an open-source customer relationship management CRM system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue...