EUVD-2022-5584

Malicious code in bioql PyPI...

EUVD-2025-23880

Malicious code in bioql PyPI...

Liferay Portal Uses Default Password

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, whi...

CVE-2025-43799

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, whi...

CVE-2025-7770

CVE-2025-7770 affects Tigo Energy Cloud Connect Advanced (CCA). The vulnerability is insecure session ID generation in the remote API, where session IDs are produced by a predictable method based on the current timestamp, enabling attackers to recreate valid session IDs. Combined with bypassing s...

PT-2025-32228 · Tigo Energy · Tigo Energy Cca

Name of the Vulnerable Software and Affected Versions: Tigo Energy CCA device affected versions not specified Description: The Tigo Energy CCA device is susceptible to insecure session ID generation within its remote API. Session IDs are created using a predictable method based on the current...

Crestron Automate VX 安全漏洞

Crestron Automate VX is an enterprise-grade intelligent space automation platform with integrated AV control, IoT device management, and data analytics from Crestron USA. A security vulnerability exists in Crestron Automate VX versions 5.6.8161.21536 through 6.4.0.49, which stems from a remote we...

The vulnerability of the GLPI system’s request, incident, and asset inventory management, related to improper access control, allows a intruder to gain unauthorized access to the account.

The vulnerability of the GLPI system for managing requests, incidents, and inventory of computer equipment is related to improper access control. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to the account through the API...

Century Systems FutureNet NXR 安全漏洞

Century Systems FutureNet NXR is a series of routers from Century Systems, Japan. A security vulnerability exists in Century Systems FutureNet NXR, which arises from an initial configuration where REST-APIs are accidentally enabled during device startup, which could allow an attacker to gain acce...

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts...

PT-2024-10394 · Cisco · Cisco Optical Site Manager +3

Name of the Vulnerable Software and Affected Versions: Cisco Crosswork Network Services Orchestrator NSO affected versions not specified Cisco ConfD affected versions not specified Cisco Optical Site Manager affected versions not specified Cisco RV340 Dual WAN Gigabit VPN Routers affected version...

SUSE CVE-2017-1000398

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/agent-name/api showed information about tasks typically builds currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read...

SUSE CVE-2021-27358

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/ID/api showed information about tasks in the queue typically builds waiting to start. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This h...

GHSA-WQV4-9GR3-3QGH Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/username/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/username/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/agent-name/api showed information about tasks typically builds currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read...

Denial of service in Grafana

The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware...

CentOS 8 : grafana (CESA-2021:4226)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4226 advisory. - grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call CVE-2021-27358 - golang: crypto/elliptic:...

Moderate: grafana security, bug fix, and enhancement update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana 7.5.9. BZ1921191 Security Fixes: golang: crypto/elliptic: incorrect operations on the P-224 curve...