IPS Community Suite 4.5.4 SQL Injection

----------------------------------------------------------------------------- IPS Community Suite sortBy == 'popular' 56. 57. \IPS\Request::i-sortDir = \IPS\Request::i-sortDir ?: 'ASC'; 58. $sortBy = 'filerating ' . \IPS\Request::i-sortDir . ', filereviews'; 59. $where = array array 'filerating?'...

CVE-2020-17519 Apache Flink directory traversal attack: reading remote files through the REST API

A change introduced in Apache Flink 1.11.0 and released in 1.11.1 and 1.11.2 as well allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users shou...

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object including all metadata upon login via the REST API aam/v1/authenticate or aam/v2/authenticate. This is a security problem if this object stores information that the user is not supposed to have e.g.,...

Code injection

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object including all metadata upon login via the REST API aam/v1/authenticate or aam/v2/authenticate. This is a security problem if this object stores information that the user is not supposed to have e.g.,...

CVE-2020-35934

The WordPress Advanced Access Manager plugin (AAM) prior to version 6.6.2 discloses the unfiltered user object (including all metadata) upon login via REST API endpoints aam/v1/authenticate and aam/v2/authenticate. This exposes user data that may include custom metadata from other plugins, creati...

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object including all metadata upon login via the REST API aam/v1/authenticate or aam/v2/authenticate. This is a security problem if this object stores information that the user is not supposed to have e.g.,...

CVE-2020-26033

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints for add and delete lack a CSRF token check...

CVE-2020-26033

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints for add and delete lack a CSRF token check...

CVE-2020-29160

An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing...

Cross site request forgery (csrf)

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints for add and delete lack a CSRF token check...

Design/Logic Flaw

An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing...

CVE-2020-26033

CVE-2020-26033 affects Zammad prior to version 3.4.1, where the Tag and Link REST API endpoints (add and delete) do not perform CSRF token validation. Connected sources corroborate a CSRF vulnerability in the labeling/linking REST paths, with broader references noting fixes in newer releases (e.g...

CVE-2020-26033

An issue was discovered in Zammad before 3.4.1. The Tag and Link REST API endpoints for add and delete lack a CSRF token check...

CVE-2020-29160

An issue was discovered in Zammad before 3.5.1. A REST API call allows an attacker to change Ticket Article data in a way that defeats auditing...

CVE-2020-29160

CVE-2020-29160 affects Zammad before 3.5.1. A REST API call can modify Ticket Article data and defeat auditing via an access-control flaw, with no authentication required in CVSS terms. Impact is integrity loss (high) and auditing bypass. Remediation stated across sources is to upgrade to Zammad ...

ledger-rest-api-dev (>=0.1.9 <=0.1.10) potentially affected by CVE-2020-11093 via indy-node (=1.0.28)

indy-node PYPI version =1.0.28 is affected by a known vulnerability. The following packages have a transitive dependency on indy-node and may be impacted: - ledger-rest-api-dev =0.1.9, =0.1.10 Source cves: CVE-2020-11093 Source advisory: OSV:PYSEC-2020-48...

Privilege Escalation

keycloak is vulnerable to privilege escalation. The Account REST API can update user metadata attributes...

Freki - Malware Analysis Platform

Freki is a free and open-source malware analysis platform. Goals 1. Facilitate malware analysis and reverse engineering; 2. Provide an easy-to-use REST API for different projects; 3. Easy deployment via Docker; 4. Allow the addition of new features by the community. Current features Hash...

Information Disclosure

gitlab is vulnerable to information disclosure. The vulnerability is possible via the REST API via the GraphQL...

CVE-2020-27147

The REST API component of TIBCO Software Inc.'s TIBCO PartnerExpress contains a vulnerability that theoretically allows an unauthenticated attacker with network access to obtain an authenticated login URL for the affected system via a REST API. Affected releases are TIBCO Software Inc.'s TIBCO...