CVE-2022-22152

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on...

CVE-2021-41767

CVE-2021-41767 affects Apache Guacamole 1.3.0 and older. The issue arises when a private tunnel identifier is wrongly included in the non-private details of certain REST responses, enabling an authenticated user who already has access to a connection to read from or interact with another user’s a...

U.S. Dept Of Defense: CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████

Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. CAS is vulnerable to a Reflected Cross-Site Scripting attack, via POST requests sent to the REST API endpoints. The payload could be injected on URLs: /███████/. Malicious scripts can be submitted to CAS via...

CVE-2021-42748

In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API...

Security feature bypass

In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

vuln4japi A vulnerable Java based REST API for demonstrating C...

Server-Side Request Forgery in Apache Kylin

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification...

Apache Kylin server-side request forgery vulnerability

Apache Kylin is an open source distributed analytic data warehouse from the Apache Foundation. The product mainly provides Hadoop/Spark on top of the SQL query interface and multidimensional analysis OLAP and other functions. Apache kylin has a server-side request forgery vulnerability, which ste...

CVE-2021-42748

In Beaver Builder through 2.5.0.3, attackers can bypass the visibility controls protection mechanism via the REST API...

CVE-2021-42748

CVE-2021-42748 affects Beaver Builder up to version 2.5.0.3. The issue allows attackers to bypass the visibility controls protection mechanism via the REST API, enabling unauthorized exposure of content. The vulnerability’s root cause is a bypass of visibility controls in REST API handling, with ...

Authorization Bypass

keycloak-services is vulnerable to authorization bypass. The library does not properly validate the existing user permissions, allowing an authorized attacker to create new default user accounts via the administrative REST API...

Server-Side Request Forgery (SSRF)

Apache Kylin is vulnerable to privilege escalation. The vulnerability exists due to the lack of validation of the host name via the request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints allowing an attacker to issue arbitrary requests...

Improper Authorization in Keycloak

A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled...

CVE-2021-27738

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification...

Server side request forgery (ssrf)

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification...

CVE-2021-27738

CVE-2021-27738 concerns Apache Kylin prior to 3.1.2 where all request mappings in StreamingCoordinatorController.java under /kylin/api/streaming_coordinator/* lacked input validation and security checks. This enables unauthenticated users to issue arbitrary requests (e.g., assigning/unassigning s...

PT-2022-11382 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak versions 12.0.0 through 15.1.1 Description: A flaw was found in Keycloak that allows an attacker with any existing user account to create new default user accounts via the administrative REST API, even when new user registration is...

Information Disclosure

mediawiki is vulnerable to information disclosure. The vulnerability exists due to the REST API incorrectly publicly caches autocomplete search results from private wikis...

WordPress WP Guppy Plugin Information Disclosure Vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. WordPress WP Guppy Plugin prior to version 1.3 is vulnerable to an information disclosure vulnerability tha...

CVE-2021-24997

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user...