CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication...

CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication...

CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

CVE-2021-22029

VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting...

Denial of service

VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting...

CVE-2021-22029

VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting...

CVE-2021-22029

CVE-2021-22029 affects VMware Workspace ONE UEM REST API. A malicious actor with access to /API/system/admins/session can cause API denial of service due to improper rate limiting. The NVD lists CVSSv3 base 7.5 (HIGH); VMware’s advisory VMSA-2021-0017 notes a MODERATE severity with CVSSv3 up to 5...

parse-server new anonymous user session acts as if it's created with password

Impact Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in Session class under createdWith shows the user logged in creating...

GHSA-23R4-5MXP-C7G5 parse-server new anonymous user session acts as if it's created with password

Impact Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in Session class under createdWith shows the user logged in creating...

OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API

The plugin does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. Access the URL below as unauthenticated...

OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API

The plugin does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. PoC Access the URL below as unauthenticated...

Design/Logic Flaw

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates sessi...

VMware Workspace ONE UEM console patches address a denial of service vulnerability (CVE-2021-22029)

3. Advisory Details VMware Workspace ONE UEM REST API contains a denial of service vulnerability. VMware has evaluated this issue to be of 'Moderate' severity with a maximum CVSSv3 base score of 5.3...

WP Cerber Security < 8.9.3 - Rest-API Protection Bypass

The /wp-json REST API endpoint is by default blocked by WP Cerber from accessing its information. However, by appending a ?, the access control list protections are bypassed and data can then be retrieved from it...

CVE-2021-39138

Parse Server prior to v4.5.1 incorrectly classifies anonymous sessions as password-created when first signing up via REST, due to the createdWith value in _Session. This affects only developers who rely on createdWith for access control; the vulnerability is fixed in 4.5.1. The recommended workar...

BuddyPress < 9.1.1 - Activation Key Disclosure

The plugin disclosed the activation key from responses of the createitem method in the BP REST API Signup controller...

CVE-2021-32829

ZStack is open source IaaSinfrastructure as a service software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution RCE via bypass of the Groovy shell...

CVE-2021-32829 Post-authentication Remote Code Execution (RCE) in ZStack REST API

ZStack is open source IaaSinfrastructure as a service software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution RCE via bypass of the Groovy shell...

PT-2021-19960 · Zstack · Z-Stack

Name of the Vulnerable Software and Affected Versions: ZStack versions prior to 3.8.21 ZStack versions prior to 3.10.8 ZStack versions prior to 4.1.0 Description: ZStack is open source IaaS software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs...

WordPress SEOPress, on-site SEO plugin 5.0.0 – 5.0.3 - Stored Cross-Site Scripting (XSS) vulnerability via REST-API

Stored Cross-Site Scripting XSS vulnerability via REST-API discovered by Chloe Chamberland WordFence in WordPress SEOPress, on-site SEO plugin versions 5.0.0 – 5.0.3. Solution Update the WordPress SEOPress, on-site SEO plugin to the latest available version at least 5.0.4...