Information disclosure

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user...

CVE-2021-24997

The CVE-2021-24997 entry concerns the WordPress WP Guppy plugin (versions before 1.3). The issue is a lack of authorization in certain REST API endpoints, enabling any user to call endpoints and potentially disclose sensitive information (e.g., usernames, user chats) and to send messages as anoth...

Explanation of what Java API is ❓ Types. Examples

When the two most viable and essential application/software development comes together, programmers are allowed to have unmatched functionality. Java API Application Programming Interface is the perfect example of how to attain this. Acknowledged as a crucial entity for internal and open...

Shortcode Addons < 3.1.0 - Unauthenticated Arbitrary Option Update

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. PoC POST /wp-json/ShortCodeAddonsUltimate/v2/addonssettings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...

Tabs < 3.6.0 - Unauthenticated Arbitrary Option Update

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. PoC...

MGASA-2021-0568 Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: == Security fixes == T292763. CVE-2021-44854 REST API incorrectly publicly caches autocomplete search results from private wikis. T271037, CVE-2021-44856 Title blocked in AbuseFilter can be created via Special:ChangeContentModel. T297322,...

Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: == Security fixes == T292763. CVE-2021-44854 REST API incorrectly publicly caches autocomplete search results from private wikis. T271037, CVE-2021-44856 Title blocked in AbuseFilter can be created via Special:ChangeContentModel. T297322,...

CVE-2021-4133

A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. Mitigation Access to the user-creation functionality in the...

Image Hover Effects Ultimate < 9.7.0 - Unauthenticated Arbitrary Option Update

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation h...

CVE-2021-41242

OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files...

CVE-2021-41242

OpenOlat (web-based LMS) has a path traversal vulnerability in REST methods that allow an attacker with a user account and enabled REST API to craft a filename containing a relative path, enabling write access to files anywhere under the web root or beyond depending on server configuration. Affec...

Cross-site Scripting in Apereo CAS

Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints...

GHSA-M3RF-7M4W-R66Q Improper Authentication in Flask-AppBuilder

Impact Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints. Patches Upgrade to...

Improper Authentication in Flask-AppBuilder

Impact Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints. Patches Upgrade to...

CVE-2021-41265

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...

CVE-2021-41265

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...

Authentication flaw

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...

PYSEC-2021-851

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...

CVE-2021-41265

CVE-2021-41265 affects Flask-AppBuilder prior to 3.3.4, due to an improper authentication vulnerability in the REST API. The issue allows a malicious actor to authenticate with a crafted request and access protected REST API endpoints, limited to non-database authentication types and new REST API...

CVE-2021-41265 Improper Authentication in Flask-AppBuilder

Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected RE...