Unitrends Backup api/storage input validation vulnerability

Added: 11/29/2017 Background Unitrends Backup is an enterprise backup, ransomware detection, and cloud continuity solution. Problem Unitrends Backup does not properly validate the hostname parameter in a JSON request to the api/storage resource, allowing a remote attacker to bypass authentication...

Unitrends Backup api/storage input validation vulnerability

Added: 11/29/2017 Background Unitrends Backup is an enterprise backup, ransomware detection, and cloud continuity solution. Problem Unitrends Backup does not properly validate the hostname parameter in a JSON request to the api/storage resource, allowing a remote attacker to bypass authentication...

CVE-2017-15924

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the addserver, buildconfig, and constructcommandline functions...

GHSA-VM28-MRM7-FPJQ sfpagent Command Injection vulnerability

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request...

sfpagent Command Injection vulnerability

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request...

Cross-site Scripting (XSS)

Typo3 CMS is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute arbitrary web script when installing the TER extension by passing a json request to the application...

Service Detection with 'JSON' Request

This plugin performs service detection. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.108199";...

Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution Exploit

Serviio PRO DLNA Media Streaming Server version 1.8.0.0 PRO, 1.7.1, 1.7.0, and 1.6.1 suffers from a REST API arbitrary code execution vulnerability. !/usr/bin/env python Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution Vendor: Petr Nejedly | Six Lines Ltd Product web...

Cyberoam iview UTM v0.1.2.7 - (Ajax) XSS Web Vulnerability

Document Title: =============== Cyberoam iview UTM v0.1.2.7 - Ajax XSS Web Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1850 Cyberoam ID: 1059276 Security ID: NCR-2064 Release Date: ============= 2016-10-03 Vulnerability Laboratory ID...

OpenBravo Hibernate HQL Injection

Title: OpenBravo Hibernate HQL Injection Vulnerability Author: Sam Ng, HPE Software Security Research Team Vendor Patch: 3.0PR15Q3.4 and 3.0PR15Q4.1 Vendor Reference: https://issues.openbravo.com/view.php?id=31577, http://wiki.openbravo.com/wiki/ReleaseNotes/3.0PR15Q3.4,...

CVE-2015-0141

IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to modify arbitrary user filters via a JSON request...

Design/Logic Flaw

IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to modify arbitrary user filters via a JSON request...

CVE-2015-0141

CVE-2015-0141 affects IBM OpenPages GRC Platform (versions 6.2–7.1). The root cause is insufficient access checks on JSON requests, allowing an authenticated user to modify arbitrary user filters. The vulnerability is documented with multiple related CVEs in IBM’s 2018 bulletin, which lists affec...

CVE-2014-5017

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipantsjson, related to a search paramet...

Sql injection

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipantsjson, related to a search paramet...

CVE-2014-5017

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipantsjson, related to a search paramet...

CVE-2014-5017

The CVE-2014-5017 entry describes an SQL injection in LimeSurvey 2.05+ Build 140618 (CPDB) affecting admin/participants/sa/getParticipants_json via the sidx parameter in a JSON request, related to a search parameter. The root cause is improper sanitization of the sidx value in CPDB’s code path (a...

Design/Logic Flaw

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request...

CVE-2014-2888

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request...

Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations

Fat Free CRM contains a flaw in user controllers that is triggered as JSON requests are rendered with a full JSON object. This may allow a remote attacker to gain access to potentially sensitive information e.g. other users password hashes...