158 matches found
PT-2022-23792 · Totolink · Totolink A7000R
Name of the Vulnerable Software and Affected Versions: TOTOLINK A7000R version 9.1.0u.6115 B20201022 Description: A command injection issue was found via the lang parameter at the "/setting/setLanguageCfg" API endpoint. This allows for potential command injection attacks. Recommendations: For...
PT-2022-19301 · Totolink · Totolink N600R
Name of the Vulnerable Software and Affected Versions: TOTOLink N600R version V5.3c.7159 B20190425 Description: A command injection issue was discovered via the langtype parameter in the "/setting/setLanguageCfg" API endpoint. This allows for potential command execution. No information is provide...
CVE-2022-25244
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10...
CVE-2022-25244
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10...
Code injection
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10...
CVE-2021-42787
It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's DSA AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. The affected endpoint does not have any input validation of the user's input that allows a...
PT-2022-11711 · Riverbed · Steelcentral Appinternals Dynamic Sampling Agent
Name of the Vulnerable Software and Affected Versions: SteelCentral AppInternals Dynamic Sampling Agent DSA affected versions not specified Description: A security issue was found in the SteelCentral AppInternals Dynamic Sampling Agent DSA, where it uses a ".debug command.config" file to store a...
CVE-2022-25244
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10...
CVE-2022-25244
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10...
Vault Enterprise’s Tokenization Transform Configuration Endpoint May Expose Transform Key
Summary Vault Enterprise “Vault” clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise...
CVE-2021-43945
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting SXSS vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are...
jenkins: lack of type validation in agent related REST API
A flaw was found in Jenkins. Due to lack of validation of type of object created after loading the data submitted to the config.xml REST API endpoint of a node, an attackers with Computer/Configure permission are able to replace a node with one of a different type...
GHSA-FFW3-6MP6-JMVJ Improper Access Control in Apache Airflow
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when webserver exposeconfig is set to False in airflow.cfg. This allowed a privilege escalation attack...
CVE-2021-26559
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when webserver exposeconfig is set to False in airflow.cfg. This allowed a privilege escalation attack...
Improper access control
Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when webserver exposeconfig is set to False in airflow.cfg. This allowed a privilege escalation attack...
CVE-2021-26559
CVE-2021-26559 describes an improper access control on the Stable API Configurations Endpoint in Apache Airflow, allowing users with Viewer or User roles to retrieve Airflow configurations (including sensitive data) even when webserver configuration [webserver] expose_config is set to False. Affe...
CVE-2019-9597
Darktrace Enterprise Immune System before 3.1 allows CSRF via the /config endpoint...
CVE-2016-10511
The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable unreleased Twitter iOS ap...