DEBIAN-CVE-2024-42327

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is availabl...

UBUNTU-CVE-2024-36467

An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...

CVE-2024-50365

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G = 1.6.3, EKI-6333AC-2GD = v1.6.3 and EKI-6333AC-1GPO = v1.2.1. The source of the vulnerability relies on...

tuned 安全漏洞

tuned is tuned open source server-side program for a dynamic system tuning tool. The program is mainly used to monitor and collect data from various system components, and dynamically adjust system settings based on the information provided by the data. A security vulnerability exists in tuned,...

Fides 安全漏洞

Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Fides that stems from a user invitation to accept an...

PT-2024-9293 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 13.2.4 through 17.4.5 GitLab CE/EE versions 17.5 through 17.5.3 GitLab CE/EE versions 17.6 through 17.6.1 Description: A denial of service DoS condition was discovered in GitLab CE/EE. This issue is related to inefficien...

The vulnerability of the Fortinet FortiDeceptor system, which is used for detecting and responding to external and internal security threats, as well as the FortiSandbox system for threat detection and elimination, can be exploited due to improper privilege management. This allows attackers to execute unauthorized API calls.

The vulnerability of the Fortinet FortiDeceptor system, which is used for detecting and responding to external and internal security threats, is related to improper privilege management. Exploiting this vulnerability allows an attacker, operating locally, to execute unauthorized API calls using...

Incognito Service Activation Center 安全漏洞

Incognito Service Activation Center Incognito SAC is a cloud-native solution from Incognito that automates the delivery of intent-based IP services through any access technology and simplifies back-end processes to reduce operational expenses. A security vulnerability exists in Incognito Service...

CVE-2024-20527

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read and delete arbitrary files on an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials. This vulnerability is due to insufficient validation of user-suppli...

PYSEC-2024-238

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints includ...

SUSE CVE-2024-39719

An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file existence on the...

PT-2024-8001 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.1.0 through 10.0.16 Description: The issue is related to incorrect access control in the GLPI system, which can allow a remote attacker to exploit the vulnerability and potentially disclose confidential information. A technici...

PYSEC-2024-202

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...

CVE-2024-51559

This vulnerability exists in the Wave 2.0 due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API input parameters to gain unauthorized access and perform malicious activities on other user accounts...

PT-2024-34701 · Wave · Wave

Name of the Vulnerable Software and Affected Versions: Wave 2.0 Description: This issue is due to missing restrictions for excessive failed authentication attempts on the API-based login. A remote attacker could exploit this by conducting a brute force attack against legitimate user OTP, MPIN, or...

Brokerage Wave 安全漏洞

Brokerage Wave is a frontend product from Brokerage, Inc. A security vulnerability exists in Brokerage Wave version 2.0, which stems from a lack of limitations on too many failed authentication attempts for API-based logins, which could allow an attacker to cause unauthorized access by brute-forc...

PT-2024-34699 · Wave · Wave

Name of the Vulnerable Software and Affected Versions: Wave version 2.0 Description: The issue arises from insufficient encryption of sensitive data received at the API response, allowing an authenticated remote attacker to exploit it by manipulating API input parameters. This could lead to...

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment allows a hacker to execute arbitrary JavaScript code and unauthorized API calls.

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment relates to insufficient verification of the connection source. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code and make unauthorized API requests...

The vulnerability of the TrueConf Server software, related to insufficient protection of operational data, allows attackers to obtain information about system users.

The vulnerability of the TrueConf Server software is related to insufficient protection of operational data. Exploiting this vulnerability could allow a malicious actor to obtain information about system users by sending a specially crafted API request...

PT-2024-33280 · Zimaos · Zimaos

Name of the Vulnerable Software and Affected Versions: ZimaOS versions 1.2.4 and earlier Description: The issue allows unauthenticated users to access sensitive information, such as usernames, through the API endpoint http:///v1/users/name without any authorization. This could be exploited by an...