Dell EMC Data Protection Advisor Code Injection Vulnerability

Dell EMC Data Protection Advisor is a data protection management solution from Dell Dell. The product supports data backup, data recovery and data replication management. A code injection vulnerability exists in the REST API in Dell EMC Data Protection Advisor. A remote attacker could leverage th...

CVE-2019-18581

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this...

CVE-2019-18582

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this...

Sql injection

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this...

Authorization

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this...

CVE-2019-18581

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this...

CVE-2019-18582

Dell EMC Data Protection Advisor (DPA) REST API versions 6.3/6.4/6.5, 18.2 before patch 83, and 19.1 before patch 71 are affected by a server-side template injection vulnerability. A remote authenticated attacker with admin privileges can inject scripts via the report generation feature, potentia...

CVE-2020-10257

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trxaddons/v2/get/sclayout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter...

Design/Logic Flaw

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trxaddons/v2/get/sclayout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter...

CVE-2020-10257

CVE-2020-10257 concerns the WordPress ThemeREX Addons plugin prior to 2020-03-09. The issue is an access-control flaw in the /trx_addons/v2/get/sc_layout REST API endpoint: includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter, allowing unauthenticated users...

VulnCheck KEV: CVE-2020-10257

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trxaddons/v2/get/sclayout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter...

Tomcat version information disclosed when calling REST endpoints

h3. Issue Summary When accessing the REST API endpoints as an unauthenticated user an error page is displayed and this page contains the version information for Tomcat. This is a security concern and should not be disclosed. h3. Steps to Reproduce As an unauthenticated user access the following...

Security Bulletin: IBM MQ Console and REST API are vulnerable to multiple Denial of service attacks within HTTP/2 (CVE-2019-9515, CVE-2019-9518, CVE-2019-9517, CVE-2019-9514, CVE-2019-9512, CVE-2019-9513)

Summary Several issues were reported against the HTTP/2 implementation used by IBM WebSphere Application Server Liberty Profile which is used to host the IBM MQ Console and REST API. Vulnerability Details CVEID: CVE-2019-9515 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings...

Information Disclosure

buddypress is vulnerable to information disclosure. Requests to a some of the REST API endpoints can allow an unauthenticated remote attacker to obtain private user data...

CVE-2020-5244

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...

CVE-2020-5244

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...

Authentication flaw

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...

CVE-2020-5244

CVE-2020-5244 affects the WordPress BuddyPress plugin prior to version 5.1.2. The vulnerability allows an unauthenticated attacker to trigger requests to a REST API endpoint and disclose private user data. The root cause is an information-disclosure flaw in the exposed REST endpoint, enabling exp...

CVE-2020-5244 Private data exposure via REST API in BuddyPress

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...

GHSA-3J78-7M59-R7GV Private data exposure via REST API in BuddyPress

In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...