CVE-2022-23858

A flaw was found in the REST API. An improperly handled REST API call could allow any logged user to elevate privileges up to the system account. This affects StarWind Command Center build 6003 v2...

Command injection

A flaw was found in the REST API. An improperly handled REST API call could allow any logged user to elevate privileges up to the system account. This affects StarWind Command Center build 6003 v2...

CVE-2022-23858

The CVE-2022-23858 issue affects StarWind Command Center (REST API) where an improperly handled REST call allows any logged-in user to elevate privileges to the system account. Affected: StarWind Command Center build 6003 v2. Root cause: improper handling of REST API calls leading to privilege es...

StarWind Command Center 权限许可和访问控制问题漏洞

StarWind Command Center is a single management platform for managing and monitoring Ui from StarWind, Inc. designed to simplify and automate the control of day-to-day Hci routines. StarWind Command Center has a Privilege Permission and Access Control Issue vulnerability that stems from the fact...

PT-2022-16296 · Starwind · Starwind Command Center

Name of the Vulnerable Software and Affected Versions: StarWind Command Center versions prior to V2 build 6021 StarWind Command Center build 6003 v2 Description: A flaw was found in the REST API, allowing an improperly handled REST API call to elevate privileges up to the system account for any...

20K WordPress Sites Exposed by Insecure Plugin REST-API

More than 20,000 WordPress sites are vulnerable to malicious code injection, phishing scams and more as the result of a high-severity cross-site scripting XSS bug discovered in the WordPress Email Template Designer – WP HTML Mail, a plugin for designing custom emails. The new vulnerability...

Design/Logic Flaw

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on...

CVE-2022-22152 Contrail Service Orchestration: Tenants able to see other tenants policies via REST API interface

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on...

CVE-2022-22152

The CVE covers a REST API access-control failure in Juniper Networks Contrail Service Orchestration. A tenant can view confidential configuration details of other tenants (e.g., firewall configuration and access control policies) due to insufficient authorization checks, exposing sensitive inform...

WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting Vulnerability

WordPress Email Template Designer – WP HTML Mail plugin versions 3.0.9 and below suffer from a cross site scripting vulnerability. Exploit makes it possible for unauthenticated attackers to achieve complete site takeover. On December 23, 2021 the Wordfence Threat Intelligence team initiated the...

Juniper Networks Contrail Service Orchestration Access Control Error Vulnerability

Juniper Networks Contrail Service Orchestration is a robust software platform from Juniper Networks USA, Inc. used to connect many enterprise and multi-tenant service provider solutions. Juniper Networks Contrail Service Orchestration suffers from an access control error vulnerability that stems...

F5 Networks BIG-IP : BIG-IP ASM and Advanced WAF REST API endpoint vulnerability (K08402414)

The version of F5 Networks BIG-IP installed on the remote host is prior to 13.1.5 / 14.1.4.5 / 15.1.4.1 / 16.1.2 / 17.0.0. It is, therefore, affected by a vulnerability as referenced in the K08402414 advisory. - On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1,...

mongo-rest-api (=0.1.0), pine-ql (>=0.1.0 <=0.5.4) potentially affected by CVE-2020-28272 +1 more via keyget (=1.0.1)

keyget NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on keyget and may be impacted: - mongo-rest-api =0.1.0 - pine-ql =0.1.0, =0.5.4 Source cves: CVE-2020-28272, CVE-2021-23760 Source advisory: SNYK:JS-KEYGET-2342624...

CVE-2021-25036

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users...

Privilege escalation

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable use...

CVE-2021-25036 All In One SEO < 4.1.5.3 - Authenticated Privilege Escalation

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users...

Cross-Site Request Forgery (CSRF)

livehelperchat is vulnerable to cross-site request forgery. The server is unable to verify the authenticity of web requests due to a lack of anti-CSRF protection mechanism in the REST API, allowing an attacker to submit requests on behalf of the user, and potentially obtain credentials via the...

PT-2022-9593 · WordPress · All In One Seo

Name of the Vulnerable Software and Affected Versions: All in One SEO WordPress plugin versions prior to 4.1.5.3 Description: The issue allows bad actors to access protected REST API endpoints, potentially enabling users with low-privileged accounts to perform remote code execution on affected...

Caldera Command Injection Vulnerability

A command injection vulnerability exists in Caldera 2.8.1 and earlier, which stems from multiple startup "requirements" that execute commands when starting a server that commands can be changed via the REST API. An authenticated attacker could use this vulnerability to insert arbitrary commands a...

Design/Logic Flaw

An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted...