CVE-2019-14832

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks...

CVE-2019-14832

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks...

Design/Logic Flaw

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks...

CVE-2019-14832

CVE-2019-14832 affects Keycloak REST API prior to 8.0.0, allowing an authenticated attacker who knows a user id to access information across realms the user is not configured for, i.e., a cross-realm user access/authorization bypass. Concrete details from connected docs confirm the vulnerability ...

CVE-2019-14832

A flaw was found in the Keycloak REST API where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks...

SugarCRM 9.0.1 SQL Injection

-------------------------------------------------------- SugarCRM = 9.0.1 Multiple SQL Injection Vulnerabilities -------------------------------------------------------- - Software Link: https://www.sugarcrm.com - Affected Versions: Version 9.0.1 and prior versions, 8.0.3 and prior versions. -...

Schneider Electric Modicon M580 UMAS REST API getcominfo information disclosure vulnerability

Summary An exploitable information disclosure vulnerability exists in the UMAS REST API getcominfo functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.80. A specially crafted HTTP request can cause the device to return arbitrary memory,...

Schneider Electric Modicon M580 UMAS REST API getcominfo denial-of-service vulnerability

Summary An exploitable denial of service vulnerability exists in the UMAS REST API getcominfo functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.80. A specially crafted HTTP request can cause the device to enter a non-recoverable fault...

Schneider Electric Modicon M580 UMAS REST API readbolarray information disclosure vulnerability

Summary An exploitable information disclosure vulnerability exists in the UMAS REST API readbolarray functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.80. A specially crafted HTTP request can cause the device to return blocks of program...

Sql injection

MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used MySQL, Microsoft SQL Server, or Azure SQL, an attacker...

Security Bulletin: Secure values are recoverable via REST API (CVE-2019-4232)

Summary IBM UrbanCode Deploy could allow an authenticated user to obtain sensitive values from the REST API that could be used in further attacks against the system. Vulnerability Details CVEID: CVE-2019-4232 DESCRIPTION: IBM UrbanCode Deploy could allow an authenticated user to obtain sensitive...

PT-2019-5224 · WordPress · Wordpress

Name of the Vulnerable Software and Affected Versions: WordPress versions 3.7 through 5.3.0 Description: The issue is related to an authentication error in the class-wp-rest-posts-controller function of the WordPress content management system, allowing users to mark posts as sticky via the REST...

CVE-2019-11464

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and...

CVE-2019-11464

CVE-2019-11464 affects Couchbase Server Views REST API (port 8092), where security headers were not included in versions 5.5.0 and 5.1.2. The issue is that headers such as X-Frame-Options, X-Content-Type-Options, X-Permitted-Cross-Domain-Policies, and X-XSS-Protection were missing in responses. T...

CVE-2019-11464

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and...

CVE-2019-16101

Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to obtain potentially sensitive stack traces by sending incorrect JSON data to the REST API, such as the rest/json/banners URI...

Code injection

Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to obtain potentially sensitive stack traces by sending incorrect JSON data to the REST API, such as the rest/json/banners URI...

CVE-2019-16101

CVE-2019-16101 affects Silver Peak EdgeConnect SD-WAN prior to version 8.1.7.x. The issue allows remote attackers to trigger the REST API by sending malformed JSON (e.g., to rest/json/banners), potentially causing the system to leak sensitive stack traces. Impact is information disclosure via sta...

CVE-2019-16101

Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to obtain potentially sensitive stack traces by sending incorrect JSON data to the REST API, such as the rest/json/banners URI...

CVE-2019-9697

An information disclosure vulnerability in the Management Center MC REST API 2.0, 2.1, and 2.2 prior to 2.2.2.1 allows a malicious authenticated user to obtain passwords for external backup and CPL policy import servers that they might not otherwise be authorized to access...