4963 matches found
CVE-2024-21832
CVE-2024-21832 concerns PingFederate with a potential JSON injection vector in REST API data stores via POST requests carrying a JSON body. Metrics indicate low base score (3.5), network access, high attack complexity, and scope changes with partial integrity impact. No explicit remediation or ex...
CVE-2024-5488
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...
CVE-2024-5488
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...
CVE-2024-5488 SEOPress < 7.9 - Unauthenticated Object Injection
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...
CVE-2024-5488 SEOPress < 7.9 - Unauthenticated Object Injection
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...
CVE-2024-5488
The CVE-2024-5488 entry concerns the SEOPress WordPress plugin (versions before 7.9). Affected component: REST API routes; root cause involves insufficient protection that, when combined with an Object Injection vulnerability, lets unauthenticated attackers unserialize malicious gadget chains. Pr...
WordPress plugin SEOPress security vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
GeoServer's Server Status shows sensitive environmental variables and Java properties
GeoServer's Server Status page and REST API at /geoserver/rest/about/status lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as...
GHSA-J59V-VGCR-HXVF GeoServer's Server Status shows sensitive environmental variables and Java properties
GeoServer's Server Status page and REST API at /geoserver/rest/about/status lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as...
CVE-2024-34696
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...
CVE-2024-34696 GeoServer's Server Status shows sensitive environmental variables and Java properties
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...
CVE-2024-34696
Geoserver CVE-2024-34696 describes exposure of environment variables and Java system properties via the Server Status page and REST API, accessible to administrators. The issue affects GeoServer 2.10.0 up to versions before 2.24.4 and 2.25.1, where environment data (e.g., database passwords, API ...
CVE-2024-34696 GeoServer's Server Status shows sensitive environmental variables and Java properties
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...
Security Bulletin: IBM MQ is affected by a password disclosure vulnerability (CVE-2024-35156)
Summary IBM MQ has addressed a password disclosure vulnerability in the IBM MQ REST API. Vulnerability Details CVEID:CVE-2024-35156 DESCRIPTION: IBM MQ could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This informatio...
Malicious code in azure-rest-api-specs-tests (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-1799 Malicious code in azure-rest-api-specs-tests (npm)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in azure-rest-api-specs-eng-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 34ba9e800ce9823b7e1b4b90d47a87eafdfb783d616caa8a69bf93f55ee0a9b5 The OpenSSF Package Analysis project identified 'azure-rest-api-specs-eng-tools' @ 1.0.1 npm as malicious. It is considered malicious because: -...
MAL-2024-1798 Malicious code in azure-rest-api-specs-eng-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 34ba9e800ce9823b7e1b4b90d47a87eafdfb783d616caa8a69bf93f55ee0a9b5 The OpenSSF Package Analysis project identified 'azure-rest-api-specs-eng-tools' @ 1.0.1 npm as malicious. It is considered malicious because: -...
CVE-2024-5639
The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2024-3605
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'roomtype' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...