CVE-2021-28146

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team...

CVE-2021-28146

The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team...

CVE-2021-28148

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service DoS...

CVE-2021-28148

CVE-2021-28148 affects Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5, where one usage insights HTTP API endpoint is accessible without authentication, allowing unauthenticated requests and causing DoS on a Grafana Enterprise instance. Connected sources (OSV entrie...

CVE-2021-28147

CVE-2021-28147 affects Grafana Enterprise: when external authentication is in use and EditorsCanAdmin is enabled, any authenticated user can add external groups to any existing team due to an Incorrect Access Control flaw. Affected versions include Grafana Enterprise 6.x prior to 6.7.6, 7.x prior...

CVE-2021-28147

The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated...

CVE-2021-28122

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. Th...

Cross site request forgery (csrf)

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. Th...

CVE-2021-28122

Open5GS WebUI prior to 2.2.1 is affected by a request-validation issue that allows an unauthenticated attacker to perform CRUD operations on the subscriber database due to Express not requiring authentication. Affected versions are 2.1.3 through 2.2.x before 2.2.1. The issue enables actions such ...

CVE-2021-28122

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. Th...

Splash has a denial of service vulnerability

Splash is a JavaScript rendering service, a lightweight browser with an HTTP API, and it interfaces with the Twisted and QT libraries in Python. A denial of service vulnerability exists in Splash. An attacker can exploit this vulnerability to cause the program to crash...

Gaming Software Supply-Chain Attack Installs Spyware

Researchers allege, attackers have compromised the update mechanism of NoxPlayer, which is software that allows gamers to run Android apps on their PCs or Macs. They then installed malware onto victims’ devices with surveillance-related capabilities. NoxPlayer is developed by BigNox, which is a...

CentOS 8 : grafana (CESA-2020:1659)

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:1659 advisory. - grafana: incorrect access control in snapshot HTTP API leads to denial of service CVE-2019-15043 Note that Nessus has not tested for this issue but has instea...

CVE-2020-23826

The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution RCE through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176...

Command injection

The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution RCE through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176...

CVE-2020-23826

CVE-2020-23826 affects Yale WIPC-303W cameras (versions 2.21–2.31). The issue is remote command execution via HTTP API command injection. Several sources note it may duplicate CVE-2020-10176. Connected documents confirm affected versions and that exploitation is via command injection; no explicit...

Unspecified vulnerability in Apache Pulsar manager

Apache Pulsar is the Apache Foundation for cloud environments , set of messages , storage , lightweight functional computing as one of the distributed message flow platform . The software supports multi-tenancy, persistent storage, multi-machine room cross-region data replication, with strong...

CVE-2020-17520

In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API...

Authentication flaw

In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API...

CVE-2020-17520

In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API...