MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure

Exploit: MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure Date: 2019-12-30 Author: LiquidWorm Vendor: Emmanuel Product web page: https://github.com/empierre/MyDomoAtHome https://www.domoticz.com/wiki/ImperiHome https://docs.imperihome.com/app/iss Affected version: 0.2.40...

MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway 0.2.40 Information Disclosure

Summary REST Gateway between Domoticz and Imperihome ISS. Domoticz is a home automation system with a pretty wide library of supported devices, ranging from weather stations to smoke detectors to remote controls, and a large number of additional third-party integrations are documented on the...

Exploring VBO365 backups: Understanding Different Restore Scopes

Challenge You can explore backups in three different scopes: Backup Job , Organization , All organizations. Consider the following organizations added to the Veeam Backup for Microsoft 365 backup infrastructure; each of these organizations uses its own backup repository to store data: Organizatio...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

Design/Logic Flaw

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

CVE-2019-20043 affects WordPress core (wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php) in versions 3.7–5.3.0, where authenticated users without publish rights can mark posts as sticky via the REST API, bypassing contributor-like restrictions. The impact is that unauthorized use...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

FreeBSD : wordpress -- multiple issues (7b97b32e-27c4-11ea-9673-4c72b94353b5)

wordpress developers reports : Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for...

Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes

The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them. Affected endpoints: - wp-json/featured-image-from-url/v2/enablefakeapi - wp-json/featured-image-from-url/v2/disablefakeapi - wp-json/featured-image-from-url/v2/nonefakeapi -...

OpenMRS - Java Deserialization RCE (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenMRS Java Deserialization RCE', 'Description' = %q OpenMRS is an open-source platform that supplies users with a customizable medical record...

WordPress < 5.3.1

WordPress versions 5.3.0 and earlier are affected by the following vulnerabilities: - Two cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to click a specially crafted URL,...

OpenMRS - Java Deserialization Remote Code Execution Exploit

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenMRS Java Deserialization RCE', 'Description' = %q OpenMRS is an open-source platform that supplies users with a customizable medical record...

WordPress Multiple Vulnerabilities (Dec 2019) - Windows

WordPress is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress"; ifdescripti...

wordpress -- multiple issues

wordpress developers reports: Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for findi...

WordPress <= 5.3 - Authenticated Improper Access Controls in REST API

Description An unprivileged user could make a post sticky via the REST API. Authenticated users who do not have the rights to publish a post were able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass...

CVE-2014-0026

katello-headpin is vulnerable to CSRF in REST API...

Cross site request forgery (csrf)

katello-headpin is vulnerable to CSRF in REST API...

CVE-2014-0026

katello-headpin is vulnerable to CSRF in REST API...