CVE-2020-4891

CVE-2020-4891 affects IBM Spectrum Scale: versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2 expose an improper account lockout setting that could let a local attacker brute‑force REST API credentials. Affected product: IBM Spectrum Scale (GPFS-based). Root cause: inadequate local account lockout configura...

CVE-2020-4890

IBM Spectrum Scale vulnerability CVE-2020-4890 affects versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2. A local user with a valid REST API role can cause a denial of service due to weak or absent rate limiting on REST API requests. The root cause is insufficient rate-limiting controls; impact is availab...

Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI.

Summary Vulnerabilities exist in all levels of IBM Spectrum Scale GUI. A fix for this vulnerability is available. Vulnerability Details CVEID: CVE-2020-4890 DESCRIPTION: IBM Spectrum Scale could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absen...

F5 iControl REST Remote Command Execution Vulnerability

F5 BIG-IP is F5's application delivery platform that integrates network traffic scheduling, load balancing, intelligent DNS, remote access policy management, etc. F5 BIG-IQ Centralized Management is F5's management and scheduling platform that centrally manages and controls the F5 BIG-IP physical...

jenkins: Improper handling of REST API XML deserialization errors

A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data...

Improper access control

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the target...

CVE-2021-22861

GitHub Enterprise Server vulnerability CVE-2021-22861: An improper access control issue allowed authenticated users to write to unauthorized repositories via crafted pull requests and REST API calls. Affected versions include ranges listed in PT-2021-15234: 2.4.21–2.20.23, 2.21.0–2.21.14, 2.22.0–...

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. PoC Usage: php poc.php auth...

CVE-2019-25020

CVE-2019-25020 affects Scytl sVote 2.1. The root cause is an unauthenticated sdm-ws-rest API that allows retrieving administrative configuration by sending a POST to /sdm-ws-rest/preconfiguration. The impact is exposure of admin configuration (confidentiality impact noted as HIGH in CVSS 3.1). Ex...

Oracle Linux 8 : container-tools:ol8 (ELSA-2021-0531)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0531 advisory. buildah 1.16.7-4.0.1 - Handling redirect from the docker registry Orabug: 29874238 Nikita Gerasimov 1.16.7-4 - update to the latest content of...

WordPress: Privilege Escalation via REST API to Administrator leads to RCE

Kien Hoang reported a privilege escalation vulnerability in the BuddyPress REST-API. Through this issue, if registrations for new users is enabled, a non-admin user can gain administrator access on the site. The administrator access can then lead to remote code execution, as admins have the right...

RHEL 8 : container-tools:rhel8 (RHSA-2021:0531)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:0531 advisory. The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: podman: environment...

CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0...

PatrowlHears - PatrowlHears - Vulnerability Intelligence Center / Exploits

PatrOwl provides scalable, free and open-source solutions for orchestrating Security Operations and providing Threat Intelligence feeds. PatrowlHears is an advanced and real-time Vulnerability Intelligence platform, including CVE, exploits and threats news. Try it now! To try PatrowlHears, instal...

Mail.ru: REST API Endpoint leads to Unauthorized user disclosed private [ issue ] details

Summary Jira allows an administrator to restrict access to projects to specific users only. Or adjusting all project properties to be available only to the system administrator, which means that all users in the jira account cannot access issues, project, dashboard and any information about the...

The vulnerability of the REST API implementation of the network management system’s data center management module allows a attacker to execute arbitrary SQL commands.

The vulnerability of the REST API interface of the Cisco Data Center Network Manager DCNM system is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary SQL commands remotely...

infinispan: authorization check missing for server management operations

A flaw was found in the Infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. The highest threat...

JetBrains YouTrack User Enumeration Vulnerability

JetBrains YouTrack is a browser-based bug tracking and project management software from the Czech company JetBrains. The software features bug tracking, creating workflows and monitoring project progress. JetBrains YouTrack suffers from a user enumeration vulnerability that can be exploited by an...

CVE-2021-1266

A vulnerability in the REST API of Cisco Managed Services Accelerator MSX could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to the way that the affected software logs certain API requests. An attacker could...

Design/Logic Flaw

A vulnerability in the REST API of Cisco Managed Services Accelerator MSX could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to the way that the affected software logs certain API requests. An attacker could...