GitLab: Attacker can create malicious child epics linked to a victim's epic in an unrelated group

A vulnerability existed in GitLab that allowed an attacker to create malicious child epics linked to a victim's epic in an unrelated group. The attacker could create the malicious child epics by referring to the victim's epic via the parentid. The vulnerability was due to the lack of proper acces...

HTML Injection

org.keycloak:keycloak-services is vulnerable to HTML Injection. A malicious user is able to send emails containing phishing links to users via the execute-actions-email endpoint of the admin REST API...

HTML Injection in Keycloak Admin REST API

The execute-actions-email endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users...

Exploit for Improper Access Control in Joomla Joomla\!

CVE-2023-23752 Joomla unauthorized access vulnerability CVE...

ManageEngine Firewall Analyzer REST API Key Disclosure (CVE-2022-36923)

Binary data manageenginefirewallanalyzercve-2022-36923direct.nbin...

K13074505: libarchive vulnerability CVE-2016-8687

Security Advisory Description Stack-based buffer overflow in the safefprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename. CVE-2016-8687 Impact For BIG-IP and VIPRION platforms that ar...

K16861: BIG-IQ remote authentication vulnerability CVE-2015-4637

Security Advisory Description When remote authentication is configured on the BIG-IQ system for a LDAP server that allows anonymous BIND operations, a unauthenticated user may obtain an authentication token from the REST API for any known or guessed LDAP user account and will receive all the acce...

K47105354: Lodash library vulnerability CVE-2019-10744

Security Advisory Description Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. CVE-2019-10744 Impact An attacker can use Function inside of...

K23203045: BIG-IP Advanced WAF and ASM REST API vulnerability CVE-2021-23014

Security Advisory Description BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API, which might allow authenticated users with guest privileges to upload files. CVE-2021-23014 Impact If an attacker has network access to the BIG-...

CVE-2022-48318 Insecure access control mechanisms for RestAPI documentation

No authorisation controls in the RestAPI documentation for Tribe29's Checkmk = 2.1.0p13 and Checkmk = 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation...

PT-2023-15694 · Checkmk · Checkmk

Name of the Vulnerable Software and Affected Versions: Checkmk versions 2.0.0p1 through 2.0.0p28 Checkmk versions 2.1.0p1 through 2.1.0p10 Description: The issue arises from the insecure termination of expired sessions in the RestAPI, allowing an attacker to utilize expired session tokens for...

Checkmk 代码问题漏洞

Checkmk is an editor. A security vulnerability exists in Tribe29 Checkmk version 2.1.0p10 and earlier, version 2.0.0p28 and earlier, which stems from failing to securely terminate expired sessions in RestAPI. An attacker could exploit the vulnerability to use an expired session token when...

PT-2023-15695 · Checkmk · Checkmk

Name of the Vulnerable Software and Affected Versions: Checkmk versions 2.0.0 through 2.0.0p29 Checkmk versions 2.1.0 through 2.1.0p13 Description: The issue is related to the lack of authorization controls in the RestAPI documentation for Checkmk, which may lead to unintended information...

Unauthorized Access Vulnerability in Joomla!

Joomla! is a globally recognized content management system. An unauthorized access vulnerability exists in Joomla! versions 4.0.0 through 4.2.7. The vulnerability is due to an incorrect access check in the affected versions, which can be exploited by an attacker to gain unauthorized access to the...

Improper Certificate Validation

cloudconnectlib is vulnerable to Improper Certificate Validation. Requests to third-party APIs through the REST API Modular Input allows a remote attacker to downgrade the API request to HTTP after a connection over HTTPS fails when the REST API Modular Input functionality is used through its use...

Splunk Enterprise 8.1 < 8.1.13, 8.2.0 < 8.2.10, 9.0.0 < 9.0.4 (SVD-2023-0208)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0208 advisory. - In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the sendemail' REST API endpoint lets any authenticated user...

Unauthorized Rest Api owned by Joomla(officially accepted)

Description Joomla has provided the Rest API since version 4.0. These apis need to provide authentication information when accessing, but if public is added to the request parameters when accessing the api. Then any unauthenticated user can directly access Proof of Concept Api can directly obtain...

SUSE CVE-2010-3782

obs-server before 1.7.7 allows logins by 'unconfirmed' accounts due to a bug in the REST api implementation...

SUSE CVE-2013-6428

The ReST API in OpenStack Orchestration API Heat before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenantid in the request path...

SUSE CVE-2014-7811

Multiple cross-site scripting XSS vulnerabilities in Spacewalk and Red Hat Network RHN Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API...