CVE-2022-48023

Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags...

Argo CD 安全漏洞

Argo is an open source container-native workflow engine.ArgoCD is an application. A declarative GitOps continuous delivery tool for Kubernetes. It continuously monitors running applications and compares the current live state with the desired target state e.g., configuration in a Git repository,...

PT-2022-6244 · Ami · Ami Megarac

Name of the Vulnerable Software and Affected Versions: AMI MegaRAC affected versions not specified Description: The issue is related to insufficient protection of service data in the implementation of the application programming interface of the AMI MegaRAC firmware controllers for remote...

Simmeth System Supplier Manager 路径遍历漏洞

Simmeth System Supplier Manager is a supply chain software from Simmeth System, a German company, and an arbitrary file download vulnerability exists in versions prior to Simmeth System Supplier Manager 5.6, which can be exploited by attackers to download arbitrary files from a web server by...

The vulnerability of the API interface of the Cisco Meeting Server platform allows a hacker to trigger a service failure.

The vulnerability of the Cisco Meeting Server’s API interface relates to insufficient validation of input data during request processing. Exploiting this vulnerability allows a malicious actor to cause service failures by sending specially crafted requests...

CVE-2022-41607

All versions of ETIC Telecom Remote Access Server RAS 4.5.0 and prior’s application programmable interface API is vulnerable to directory traversal through several different methods. This could allow an attacker to read sensitive files from the server, including SSH private keys, passwords,...

Delta Electronics DIAEnergie 跨站脚本漏洞

Delta Electronics DIAEnergie is an industrial energy management system for monitoring and analyzing energy consumption in real time, calculating energy consumption and load characteristics, optimizing equipment performance, improving production processes and maximizing energy efficiency. A securi...

PT-2022-26708 · Tenda · Tenda Tx3

Name of the Vulnerable Software and Affected Versions: Tenda TX3 version US TX3V1.0br V16.03.13.11 multi TDE01 Description: A stack overflow issue was discovered via the list parameter at the "/goform/SetVirtualServerCfg" API endpoint. Recommendations: For Tenda TX3 version US TX3V1.0br...

Octopus Server 安全漏洞

Octopus Server is an automated deployment platform. Octopus Server suffers from a security vulnerability that stems from its insecure direct object references IDORs that may leak team information through the API...

Zyxel CloudCNM SecuManager 安全漏洞

Zyxel CloudCNM SecuManager is a set of network management software from Taiwan, China-based Zyxel. The software supports centralized control, device management and intelligent monitoring. A security vulnerability exists in Zyxel CloudCNM SecuManager version 3.1.0 and 3.1.1, which stems from an...

CVE-2022-22526

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API...

Cisco Webex Meetings App Character Interface Manipulation (cisco-sa-webex-app-qrtO6YC2)

A vulnerability in the messaging interface of Cisco Webex App, formerly Webex Teams, could allow an unauthenticated, remote attacker to manipulate links or other content within the messaging interface. This vulnerability exists because the affected software does not properly handle character...

MediaTek vow 安全漏洞

MediaTek vow is an application chip from MediaTek, China. It provides optimized platform size and power consumption. A security vulnerability exists in MediaTek vow that stems from undefined behavior due to API misuse. This could result in a local privilege escalation that requires system executi...

CVE-2022-20921

A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator MSO could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability is due to improper authorization on specific APIs. An attacker could exploit this vulnerability by sendi...

CVE-2021-3590

A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Foreman 安全漏洞

Foreman is a set of lifecycle management tools for use in physical and virtual servers. The tool provides features such as service provisioning, configuration management, and reporting status. Foreman has a security vulnerability that stems from an identified credential leak, which exposes Azure...

Johnson Controls Metasys ADS/ADX/OAS Servers 访问控制错误漏洞

Johnson Controls Metasys ADS/ADX/OAS Servers is an application and data server from Johnson Controls, Inc. An access control error vulnerability exists in Johnson Controls Metasys ADS/ADX/OAS versions 10 and 11, which stems from the fact that under certain circumstances, an unauthenticated user c...

CVE-2022-29097

Dell WMS 3.6.1 and below contains a Path Traversal vulnerability in Device API. A remote attacker could potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application...

GHSA-MJ8V-773W-5QHJ Mattermost Server allows System Admin to modify LDAP account names and email addresses

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account...

UniverSIS-students 信息泄露漏洞

UniverSIS-students is the interface for all student interactions in UniverSIS. An information disclosure vulnerability exists in UniverSIS-students prior to version 1.5.0, which stems from a lack of sensitive information protection in /api/students/me/courses/. An attacker can use this...