U.S. Dept Of Defense: AEM misconfiguration leads to Information disclosure

Sensitive information was disclosed due to a misconfiguration in AEM, allowing access to internal usernames and webroot directories by appending /.1.json to certain URLs. This could lead to unauthorized access, social engineering attacks, and reputation damage...

K46401178: BIG-IP Configuration utility vulnerability CVE-2019-6599

Security Advisory Description Improper escaping of values in an undisclosed page of the BIG-IP Configuration utility may result in an improper handling on the JSON response when it is injected by a malicious script through a remote cross-site scripting XSS attack. CVE-2019-6599 Impact BIG-IP and...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory. - Grafana is an open source observability and data visualization platform. Versions prior to 9.1...

SAP BusinessObjects Business Intelligence Platform XSS (3251447)

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote Windows host is prior to 4.2 SP9 P11. It is, therefore, affected by a vulnerability. In SAP BusinessObjects Business Intelligence Platform Web Intelligence user interface - version 420, some calls return jso...

PT-2023-15949 · Sap · Sap Businessobjects Business Intelligence Platform

Name of the Vulnerable Software and Affected Versions: SAP BusinessObjects Business Intelligence Platform version 420 Description: The issue arises from some calls returning json with the wrong content type in the header of the response. This can make a custom application that directly calls the...

FreeBSD : Grafana -- Username enumeration (0a80f159-629b-11ed-9ca2-6c3be5272acd)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0a80f159-629b-11ed-9ca2-6c3be5272acd advisory. - Grafana is an open-source platform for monitoring and observability. When using the forget password o...

CVE-2022-39307

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks...

CVE-2022-39307

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks...

Grafana -- Username enumeration

Grafana Labs reports: When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. The CVSS score for this vulnerability is 5.3 Moderate...

Cross site scripting

A Cross-site scripting XSS vulnerability in json search parse and the json response in wrteam.in, eShop - Multipurpose Ecommerce Store Website version 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the getproducts?search parameter...

GHSA-R3FQ-CMMW-CPMM Containous Traefik Exposes Password Hashes

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control which is contrary to the API documentation, allows remote authenticated users to discover password hashes by reading the Basic HTT...

CVE-2022-30617

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship e.g., created by, updated by with content accessible to the authenticated user. For example, a...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin

Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting...

Zoho ManageEngine ADAudit Plus权限提升漏洞

An elevation of privilege vulnerability previously existed in Zoho ManageEngine ADAudit Plus 7055, which stems from the presence of a password field in a JSON response that an attacker could could use this vulnerability to perform an authenticated elevation of privilege on the integrated product...

CVE-2022-24978

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response...

CVE-2022-24978

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response...

CVE-2022-24978

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response...

Privilege escalation

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response...

CVE-2022-24978

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response...