CVE-2021-28495

In Arista's MOS Metamako Operating System software which is supported on the 7130 product line, under certain conditions, user authentication can be bypassed when API access is enabled via the JSON-RPC APIs. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train...

Security Advisory 0066

Security Advisory 0066 . CSAF PDF Date: August 20th, 2021 Version: 1.0 Revision | Date | Changes ---|---|--- 1.0 | August 20th, 2021 | Initial Release The CVE-ID tracking this issue: CVE-2021-28495 CVSSv3.1 Base Score: 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Description This advisory...

Input validation

An improper input validation vulnerability in the service of ezPDFReader allows attacker to execute arbitrary command. This issue occurred when the ezPDF launcher received and executed crafted input values through JSON-RPC communication...

CVE-2021-26605

CVE-2021-26605 is a real, concrete vulnerability in ezPDFReader where the ezPDF launcher processes crafted input over JSON-RPC, allowing remote code execution due to improper input validation. The issue enables an attacker to run arbitrary commands on affected systems. Public sources confirm the ...

CVE-2021-26605 unidocs ezPDFReader arbitrary command execution vulnerability

An improper input validation vulnerability in the service of ezPDFReader allows attacker to execute arbitrary command. This issue occurred when the ezPDF launcher received and executed crafted input values through JSON-RPC communication...

CVE-2021-26605

An improper input validation vulnerability in the service of ezPDFReader allows attacker to execute arbitrary command. This issue occurred when the ezPDF launcher received and executed crafted input values through JSON-RPC communication. Recent assessments: Assessed Attacker Value: 0 Assessed...

Cisco RV340 set_snmp usmUserPrivKey Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserPrivKey property,...

Cisco RV340 set_snmp usmUserAuthKey Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserAuthKey property,...

Cisco RV340 set_snmp usmUserEngineID Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Cisco RV340 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of JSON-RPC requests. When parsing the usmUserEngineID property...

Metasploit Wrap-Up

Nagios modules Community member Erik Wynter has contributed two more Nagios XI modules this week, on top of the previous week’s contributions! If you’ve noticed Nagios XI 5.6.0 to 5.7.5 running within your target’s infrastructure during a pen test, be sure to check both these new modules out as...

CVE-2021-21369

Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prio...

Heap overflow

Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prio...

CVE-2021-21369 Potential DoS in Besu HTTP JSON-RPC API

Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prio...

CVE-2021-21369

Hyperledger Besu (Java) prior to v1.5.1 is affected by a denial‑of‑service in the HTTP JSON‑RPC API when HTTP auth is enabled. The vulnerability arises because a login step to obtain a JWT is required before API calls, and an attacker can overload the login endpoint with invalid passwords. Passwo...

QRadar RemoteJavaScript Deserialization

------------------------------------------------------------------------ Java deserialization vulnerability in QRadar RemoteJavaScript Servlet ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------...

Mail.ru: [http://kiwi.youdrive.today/] Information disclosure via Kiwi TCMS vulnerability

Outdated kiwi.youdrive.today Kiwi TCMS instance was vulnerable to information disclosure via JSON-RPC endpoints. Outdated Kiwi TCMS instance was vulnerable to information disclosure via JSON-RPC endpoints. Exploit example dump users info except superuser: curl -i -s -k -X $'POST' -H $'Content-Typ...

Logic Flaw Vulnerability in CPP-Ethereum JSON-RPC

CPP-Ethereum is a C++ client for Ethereum Application Programming Platform.JSON-RPC is one of the remote invocation services using JSON as the protocol. A security vulnerability exists in the minerstart API for JSON-RPC in CPP-Ethereum commit version 4e1015743b95821849d001618a7ce82c7c073768. An...

UBUNTU-CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of...

MyEtherWallet: Local Storage Custom Node Credentials Leak

Summary Credentials for a custom node are stored in plain text inside Local Storage on the user's machine. If this node is configured in a certain way this could lead to the theft of any funds in accounts attached to this node, by a local attacker. And if not configured this way, an attacker coul...

CVE-2019-11895

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to...