Elasticsearch 安全漏洞

Elasticsearch is a search engine based on the Lucene library. A security vulnerability exists in Elasticsearch versions 8.4.0 through prior to 8.11.1, which stems from an uncaught exception that occurs when an encrypted PDF is passed to an attachment processor via the REST API...

CVE-2024-1473

The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mo...

PT-2024-18081 · WordPress · Easy Maintenance Mode

Name of the Vulnerable Software and Affected Versions: Easy Maintenance Mode plugin for WordPress versions up to, and including, 1.4.2 Description: The issue allows authenticated attackers to obtain post and page content via the REST API, bypassing the protection provided by the plugin...

CVE-2024-1462

The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when the site is in maintenance mode...

CVE-2024-0681

The Page Restriction WordPress WP – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it...

BIT-FLINK-2020-17519 Apache Flink directory traversal attack: reading remote files through the REST API

A change introduced in Apache Flink 1.11.0 and released in 1.11.1 and 1.11.2 as well allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users shou...

CVE-2024-1088

The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content...

WordPress Plugin Password Protected Store for WooCommerce Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

CVE-2024-1475

The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provided by the...

CVE-2024-0680

The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated...

PT-2024-13187 · Dell · Dell Secure Connect Gateway Appliance

Name of the Vulnerable Software and Affected Versions: Dell Secure Connect Gateway Application and Secure Connect Gateway Appliance versions 5.10.00.00 through 5.18.00.00 Description: A security concern has been identified where a malicious user with a valid user session may inject malicious...

CVE-2023-5922

The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protect...

WordPress Plugin WP Go Maps Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2023-21066 · Netapp · Ontap Mediator

Name of the Vulnerable Software and Affected Versions: ONTAP Mediator versions prior to 1.7 Description: The issue allows an unauthenticated attacker to enumerate URLs via the REST API. Recommendations: For versions prior to 1.7, update to version 1.7 or later to resolve the issue. As a temporary...

CVE-2023-48430

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 2. The REST API of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the API. The server will automatically...

CVE-2023-36647

A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens...

PT-2023-28836 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: MLFlow versions 2.8.1 and before Description: An issue in MLFlow allows a remote attacker to obtain sensitive information via a crafted request to the REST API. Approximately 4,120 devices are potentially affected, mainly distributed in the...

VulnCheck KEV: CVE-2021-21389

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in...

CVE-2023-41570

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API...

DEBIAN-CVE-2023-41259

Best Practical Request Tracker RT before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call...