CVE-2018-1976

IBM API Connect 5.0.0.0 through 5.0.8.4 is impacted by sensitive information disclosure via a REST API that could allow a user with administrative privileges to obtain highly sensitive information. IBM X-Force ID: 154031...

CVE-2018-1976

IBM. API Connect 5.0.0.0–5.0.8.4 is affected by a REST API–driven information disclosure that could allow a user with administrative privileges to obtain highly sensitive data. The root cause is described as a sensitive information disclosure via a REST API. The issue is addressed in IBM API Conn...

Security Bulletin: API Connect V5 is impacted by sensitive information disclosure via a REST API (CVE-2018-1976)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1976 DESCRIPTION: IBM API Connect V5 is impacted by sensitive information disclosure via a REST API that could allow a user with administrative privileges to obtain highly sensitive informatio...

CVE-2017-6924

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...

Code injection

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...

CVE-2017-6924

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...

CVE-2017-6924 REST API can bypass comment approval - Access Bypass - Moderately Critical

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...

CVE-2017-6924

Drupal 8.x before 8.3.7 is affected by CVE-2017-6924 where REST API access can allow users to post approved comments without proper permission if REST module and comment resource are enabled and an attacker can access a user account or anonymous comments. The root cause is a flaw in the REST API ...

Cross-site Scripting (XSS)

spacewalk-java is vulnerable to cross-site scripting XSS attacks. The vulnerability exists through multiple cross-site scripting XSS vulnerabilities in Spacewalk and Red Hat Network RHN Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML...

Arbitrary Code Execution Through REST API Call

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call...

Cross-Site Request Forgery (CSRF)

OpenShift Enterprise is vulnerable to cross-site request forgery CSRF. The server is unable to verify the authenticity of web requests due to a lack of anti-CSRF protection mechanism in the REST API, allowing an attacker to submit requests on behalf of the user, and potentially obtain credentials...

etcd 3.2.x, 3.3.x Authentication Vulnerability

etcd is vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

CVE-2018-16886

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remot...

CVE-2018-16886

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remot...

CVE-2018-16886

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remot...

CVE-2018-16886

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remot...

Description of the security update for SharePoint Enterprise Server 2016: January 8, 2019

Description of the security update for SharePoint Enterprise Server 2016: January 8, 2019 Summary This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, se...

Sprint End Date in a distant future causes OutOfMemoryError

h3. Summary Jira Software REST API /rest/agile/1.0/sprint/ is allowing to enter a date in the future, much higher than what is allowed by the UI . That causes Jira to hit OutOfMemoryError when loading a board based on a sprint having a big number of years as "End Date" due to excessive object...

CVE-2018-1778

IBM LoopBack IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4 could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to...

Authentication flaw

IBM LoopBack IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4 could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to...