CVE-2022-0549

CVE-2022-0549 affects GitLab CE/EE; versions before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2 are vulnerable. Under certain conditions, the REST API could allow unprivileged users to add other users to groups, contrary to Web UI constraints. Root cause: access control issue. Impact: unau...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

CVE-2022-0549

Removed by vendor...

Information Disclosure

statamic/cms is vulnerable to information disclosure. The vulnerability exists because it allows to filer a user by password hash which allows an attacker to gain access to sensitive information using a specially crafted regular expression filter in the users endpoint of REST API...

PT-2022-13253 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions prior to 14.3.6 GitLab CE/EE versions 14.4.0 through 14.4.3 GitLab CE/EE versions 14.5.0 through 14.5.1 Description: An issue has been discovered in GitLab CE/EE that allows unprivileged users to add other users to group...

GHSA-69P3-XP37-F692 Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...

Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...

CVE-2022-24784

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...

CVE-2022-24784 Discoverability of user password hash in Statamic CMS

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...

CVE-2022-24784

CVE-2022-24784 affects the Statamic CMS (Laravel/Git powered). Before versions 3.2.39 and 3.3.2, an attacker could confirm a single character of a user’s password hash by sending crafted requests to the REST API’s users endpoint using a regular expression filter. Repeated requests could gradually...

CVE-2022-24784 Discoverability of user password hash in Statamic CMS

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...

CVE-2022-0759

A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...

PT-2022-16877 · Statamic · Statamic

Name of the Vulnerable Software and Affected Versions: Statamic versions prior to 3.2.39 Statamic versions prior to 3.3.2 Description: The issue allows an attacker to confirm a single character of a user's password hash using a specially crafted regular expression filter in the "users" endpoint o...

Rocket.Chat: Rocket.chat user info security issue

Hello, We have find potential security issue that user with “view-full-other-user-info” permissions is able to view another user's OAuth tokens via Rest API. Tested on Rocket.Chat version 4.3.3 Steps to reproduce: 1. Integration with OAuth 2.0 identity provider e.g. Keycloak is required 1. Add ro...

CVE-2021-45966

An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters...

CVE-2021-45966

Pascom Cloud Phone System prior to 7.20.x contains a remote code execution flaw in the management REST API: /services/apply in exd.pl does not properly filter shell metacharacters, enabling an attacker to run arbitrary code. Affected component is the /services/apply endpoint of the exd.pl script;...

REST API Endpoint Leaked private project to unauthorized user

Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint. Affecte...

GitLab 13.2 < 14.3.6 / 14.4 < 14.4.4 / 14.5 < 14.5.2 (CVE-2022-0549)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain condition...

WordPress Download Manager plugin access control error vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress's Download Manager plugin version...