CVE-2019-15043

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana...

CVE-2019-15043

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. Recent assessments: h0ffayyy at September 26, 2020 6:21pm UTC reported: The Dashboard Snapshot API allows an...

CVE-2019-15043

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. Mitigation Block access to the snapshot feature by blocking the /api/snapshots URL via a web application firewall,...

[ASA-201908-21] grafana: denial of service

Arch Linux Security Advisory ASA-201908-21 ========================================== Severity: Medium Date : 2019-08-30 CVE-ID : CVE-2019-15043 Package : grafana Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1034 Summary ======= The package grafana before versio...

CVE-2017-8230

On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and "user". However, as a part of security analysis it was identified that a low privileged user who belongs to the "user" group and who has access to login in to the web administrativ...

CVE-2017-13719

The Amcrest IPM-721S AmcrestIPC-AWXXEngNV2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. This HTTP API receives the credentials as base64 encod...

Stack overflow

The Amcrest IPM-721S AmcrestIPC-AWXXEngNV2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. This HTTP API receives the credentials as base64 encod...

CVE-2017-13719

The Amcrest IPM-721S AmcrestIPC-AWXXEngNV2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. This HTTP API receives the credentials as base64 encod...

CVE-2017-13719

CVE-2017-13719 affects the Amcrest IPM-721S camera. The HTTP API accepts credentials in the Authorization header, but a missing length check allows a 1024-character password to trigger a stack-based buffer overflow in the credential-checking code (binary “sonia” in /usr). This memory corruption c...

CVE-2017-8230

The CVE-2017-8230 entry concerns Amcrest IPM-721S devices with firmware V2.420.AC00.16.R.20160909. A low-privilege user can authenticate to the web admin interface and add a new admin account via HTTP APIs, gaining full admin capabilities. The root cause is an authorization bypass in the HTTP API...

Cisco Enterprise Chat and Email Attachment Download Vulnerability

A vulnerability in the HTTP API of Cisco Enterprise Chat and Email could allow an unauthenticated, remote attacker to download files attached through chat sessions. The vulnerability is due to insufficient authentication mechanisms on the file download function of the API. An attacker could explo...

CVE-2017-13718

The HTTP API supported by Starry Station aka Starry Router allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port to the Internet. It was identified that the devi...

Code injection

The HTTP API supported by Starry Station aka Starry Router allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port to the Internet. It was identified that the devi...

CVE-2017-13718

The CVE-2017-13718 entry concerns Starry Station (Starry Router) and its HTTP API, where an attacker can brute-force the user PIN to alter Wi‑Fi settings, PINs, port forwards, and expose internal ports via the Internet. The root cause appears to be an API surface (rodman Python module) that allow...

CVE-2017-13718

The HTTP API supported by Starry Station aka Starry Router allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port to the Internet. It was identified that the devi...

Apache CouchDB 2.3.1 - Cross-Site Request Forgery Cross-Site Scripting

Apache CouchDB 2.3.1 - Cross-Site Request Forgery Cross-Site Scripting Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting Date: 22.03.2019 Exploit Author: Ozer Goker Vendor Homepage: http://couchdb.apache.org Software Link: http://couchdb.apache.org/download...

Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting

Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting Date: 22.03.2019 Exploit Author: Ozer Goker Vendor Homepage: http://couchdb.apache.org Software Link: http://couchdb.apache.org/download Version: 2.3.1 Introduction A CouchDB server hosts named databases, whic...

Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting Vulnerabilities

Exploit for multiple platform in category web applications Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting Date: 22.03.2019 Exploit Author: Ozer Goker Vendor Homepage: http://couchdb.apache.org Software Link: http://couchdb.apache.org/download Version: 2.3....

Apache CouchDB 2.3.1 Cross Site Request Forgery / Cross Site Scripting

Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting Date: 22.03.2019 Exploit Author: Ozer Goker Vendor Homepage: http://couchdb.apache.org Software Link: http://couchdb.apache.org/download Version: 2.3.1 Introduction A CouchDB server hosts named databases, whic...

Apache CouchDB 2.3.0 Cross Site Scripting

Exploit Title: Apache CouchDB 2.3.0 | Cross-Site Scripting Date: 17.02.2019 Exploit Author: Ozer Goker Vendor Homepage: http://couchdb.apache.org Software Link: http://couchdb.apache.org/download Version: 2.3.0 Introduction A CouchDB server hosts named databases, which store documents. Each...