OrientDB < 2.0.15 / 2.1.1 XSRF

The version of OrientDB running on the remote host is prior to 2.0.15 or 2.1.1. It is, therefore, affected by a cross-site request forgery XSRF vulnerability due to the server allowing JSONP callbacks within the REST API. An unauthenticated, remote attacker can exploit this, via a crafted web pag...

Cisco Unified Communications Manager IM and Presence Service REST API Denial of Service Vulnerability

A vulnerability in the Representational State Transfer REST interface of the Cisco Unified Communications Manager IM and Presence Service could allow an unauthenticated, remote attacker to cause a partial denial of service DoS condition because the Cisco Session Initiation Protocol SIP proxy...

F5 Networks BIG-IQ REST API Authentication Bypass (SOL16861)

According to its version number, the remote F5 Networks BIG-IQ device is affected by an authentication bypass vulnerability due to a flaw in the REST API. An unauthenticated, remote attacker can exploit this to obtain an authentication token for arbitrary LDAP user accounts when the device is...

CVE-2015-1844

Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API...

CVE-2015-1844

CVE-2015-1844 corresponds to a Foreman/Satellite API authorization flaw: remote authenticated users could bypass organization/location restrictions via the REST API. Connected advisories (RHSA-2015:1591/1592) indicate affected Foreman components and that remediation is provided through Red Hat Sa...

CVE-2015-1844

Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API...

WordPress WP REST API Plugin <= 1.2.2 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WP REST API (WP API) <= 1.2.2 - Cross-Site Scripting (XSS)

Requests from other origins could potentially run code on the API domain, allowing cross-origin access to authentication cookies or similar...

CVE-2015-1906

Cross-site scripting XSS vulnerability in the REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted U...

Design/Logic Flaw

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

CVE-2015-1905

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

CVE-2015-1905

CVE-2015-1905 affects IBM Business Process Manager (BPM) REST API in BPM versions 7.5.x–8.5.6.0. The vulnerability arises from insufficient authorization checks, allowing remote authenticated users to bypass intended access restrictions on task-variable value changes via the REST API. The IBM adv...

CVE-2015-1906

CVE-2015-1906 is an XSS vulnerability in the IBM Business Process Manager (BPM) REST API. A remote authenticated user can inject script via a crafted URL in BPM versions 7.5.x–8.5.6.0. Exploitation details are not provided beyond the vulnerability description. IBM’s advisory recommends installing...

CVE-2015-1905

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

Authentication flaw

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing...

CVE-2015-4637

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing...

CVE-2015-4637

CVE-2015-4637 affects F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2, and BIG-IQ ADC 4.5.0 before HF2. When LDAP remote authentication is enabled and the LDAP server allows anonymous BIND, an unauthenticated attacker can obtain an authentication token for arbitrary LDAP user acc...

CVE-2015-1961

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...

Design/Logic Flaw

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...

CVE-2015-1961

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...