WordPress core <= 6.0.2 - Data Exposure vulnerability via REST API

Data Exposure vulnerability via REST API discovered by Than Taintor in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...

MTN Group: Wordpress users Disclosure [ /wp-json/wp/v2/users/ ]

Summary: Using REST API, we can see all the WordPress users/author with some of their information. Which can even be Personal information of employees/author. The file v2/users at: https://www.mtn.com/wp-json/wp/v2/users/ is enabled and this give the attacker many users names like: Amogelang...

LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API

The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...

WordPress LearnPress plugin <= 4.1.7.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability via REST API discovered by Nguyen Duy Quoc Khanh in the WordPress LearnPress plugin versions = 4.1.7.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.7.2...

LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API

The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...

PT-2022-5101 · Cisco · Cisco Expressway Series +1

Name of the Vulnerable Software and Affected Versions: Cisco Expressway Series and Cisco TelePresence VCS affected versions not specified Description: The issue is related to a cross-site request forgery CSRF attack. It is caused by insufficient CSRF protections for the web-based management...

Dell Networking OS10 Information Disclosure Vulnerability (CNVD-2022-69158)

Dell SmartFabric OS10 is a Linux-based network switch operating system from Dell Dell. An information disclosure vulnerability exists in Dell SmartFabric OS10, which can be exploited by an attacker to reverse engineer sensitive information and access REST APIs with administrator privileges...

CVE-2022-29089

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST A...

Information disclosure

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST A...

CVE-2022-29089

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST A...

CVE-2022-29089

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST A...

Liferay Portal 路径遍历漏洞

Liferay Portal is a J2EE-based portal solution from Liferay, Inc. The solution uses technologies such as EJB as well as JMS, and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, and more. A security vulnerability exists in Liferay Portal...

Bitbucket Git Command Injection

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/projectKey/repos/repositorySlug/archive endpoint creates an archive of the repository, leveraging the git-archive...

CATS - REST API Fuzzer And Negative Testing Tool For OpenAPI Endpoints

REST API fuzzer and negative testing tool. Run thousands of self-healing API tests within minutes with no coding effort! Comprehensive : tests are generated automatically based on a large number scenarios and cover every field and header Intelligent : tests are generated based on data types and...

ledger-rest-api-dev (>=0.1.9 <=0.1.10) potentially affected by CVE-2022-31006 via indy-node (=1.0.28)

indy-node PYPI version =1.0.28 is affected by a known vulnerability. The following packages have a transitive dependency on indy-node and may be impacted: - ledger-rest-api-dev =0.1.9, =0.1.10 Source cves: CVE-2022-31006 Source advisory: OSV:GHSA-X996-7QH9-7FF7...

Security Bulletin: Incorrect authorization for stop and resume Event Manager REST API in IBM Business Process Manager (CVE-2017-1628)

Summary Due to incorrect authorization for stop and resume Event Manager REST API, users without required permission can stop and resume the Event Manager in IBM Business Process Manager. Vulnerability Details CVEID: CVE-2017-1628 DESCRIPTION: IBM Business Process Manager allows authenticated use...

ledger-rest-api-dev (>=0.1.9 <=0.1.10) potentially affected by CVE-2022-31006 via indy-node (=1.0.28)

indy-node PYPI version =1.0.28 is affected by a known vulnerability. The following packages have a transitive dependency on indy-node and may be impacted: - ledger-rest-api-dev =0.1.9, =0.1.10 Source cves: CVE-2022-31006 Source advisory: OSV:PYSEC-2022-270...

CVE-2022-31149 ActivityWatch vulnerable to DNS rebinding attack

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a...

CVE-2022-31149 ActivityWatch vulnerable to DNS rebinding attack

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a...

ledger-rest-api-dev (>=0.1.9 <=0.1.10) potentially affected by CVE-2022-31020 via indy-node (=1.0.28)

indy-node PYPI version =1.0.28 is affected by a known vulnerability. The following packages have a transitive dependency on indy-node and may be impacted: - ledger-rest-api-dev =0.1.9, =0.1.10 Source cves: CVE-2022-31020 Source advisory: OSV:PYSEC-2022-265...