CVE-2022-1783

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their...

Design/Logic Flaw

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their...

CVE-2022-1783

CVE-2022-1783 affects GitLab CE/EE across multiple streams: 14.3–14.9.5, 14.10–14.10.4, and 15.0–15.0.1. The issue allows malicious group maintainers to add new project members via the REST API even when a group owner disables such additions. Affected components are GitLab’s group/project members...

CVE-2022-1783

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their...

CVE-2022-1783

Removed by vendor...

CVE-2022-1598 WPQA < 5.5 - Unauthenticated Private Message Disclosure

The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site...

CVE-2022-1598

The CVE-2022-1598 entry concerns the WPQA Builder WordPress plugin (pre-5.5) with an improper access control in a REST API endpoint, enabling unauthenticated users to view private questions/messages between site users. Affected software: WPQA Builder WordPress plugin prior to version 5.5. Root ca...

Design/Logic Flaw

StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can injec...

CVE-2022-32268

CVE-2022-32268 affects StarWind SAN and NAS v0.2 build 1914. The REST API command to change the hostname does not validate the new hostname parameter and passes it to bash within a script, allowing an attacker with non-root access to inject data and achieve root-level code execution. No exploitat...

CVE-2022-32268

StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can injec...

The vulnerability of the REST API interface implementation of the software package for working with IoT devices, known as Open Automation Software, arises from the lack of authentication for a critical function. This allows a perpetrator to execute arbitrary code.

The vulnerability of the REST API interface implementation of the software package for working with IoT devices is related to the lack of authentication for critical functions. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending specially crafted HTTP...

The Bug Report – May 2022 Edition

The Bug Report – May 2022 Edition By Trellix · June 1, 2022 This blog was written by Douglas McKee Your Cybersecurity Comic Relief Source: https://twitter.com/cyb3rops/status/1523579115152064513?s=20&t=jtGMOibQPsPviekQoWKIA Why Am I here? People often come together not only due to common interest...

CVE-2022-30585

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

Authorization

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

CVE-2022-30585

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

CVE-2022-30585

CVE-2022-30585 affects Archer Platform 6.x before 6.11 (6.11.0.0) where the REST API permits an Authorization Bypass. A remote authenticated malicious user could view sensitive information. Affected/fixed releases noted: 6.11.0.0 fixes the issue; older releases such as 6.10.0.3 and 6.9.3.4 are al...

Open Automation Software OAS Platform Access Control Error Vulnerability (CNVD-2022-58679)

Open Automation Software OAS Platform is an industrial Internet of Things IoT suite from Open Automation Software, Inc. Open Automation Software OAS Platform V16.00.0121 is vulnerable to an access control error that could be exploited by an attacker to make unauthenticated use of the REST API wit...

CVE-2022-26833

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

Authentication flaw

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

CVE-2022-26833

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...