[SECURITY] [DLA 3642-1] request-tracker4 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3642-1 [email protected] https://www.debian.org/lts/security/ Salvatore Bonaccorso October 31, 2023 https://wiki.debian.org/LTS -...

SUSE CVE-2018-1079

pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. The REST interface of the pcsd service did not properly sanitize the file name from the /remote/putfile query. If the /etc/booth directory exists, an authenticated attacker with...

Debian DSA-5542-1 : request-tracker4 - security update

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5542 advisory. - Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface...

PT-2023-6715 · Unknown +2 · Request Tracker +2

Name of the Vulnerable Software and Affected Versions: Request Tracker RT versions 4.4.6 and earlier Request Tracker RT versions 5.x prior to 5.0.5 Description: The issue allows information exposure in responses to mail-gateway REST API calls. This is due to excessive data output by the applicati...

FreeBSD : Request Tracker -- multiple vulnerabilities (e14b9870-62a4-11ee-897b-000bab9f87f1)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the e14b9870-62a4-11ee-897b-000bab9f87f1 advisory. - Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email...

PT-2023-28155 · Unknown · Home Assistant

Name of the Vulnerable Software and Affected Versions: Home assistant versions prior to 2023.9.0 Description: The issue concerns a partial Server-Side Request Forgery vulnerability in the hassio.addon stdin service, where an attacker capable of calling this service may be able to invoke any...

Request Tracker -- multiple vulnerabilities

Request Tracker reports: CVE-2023-41259 SECURITY: RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 SECURITY: RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST...

DEBIAN-CVE-2023-5561

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack...

CVE-2023-41904

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass for AuthToken generation in REST APIs...

CVE-2023-4400

A password management vulnerability in Skyhigh Secure Web Gateway SWG in main releases 11.x prior to 11.2.14, 10.x prior to 10.2.25 and controlled release 12.x prior to 12.2.1, allows some authentication information stored in configuration files to be extracted through SWG REST API. This was...

PT-2023-8186 · Mikrotik · Routeros +1

Name of the Vulnerable Software and Affected Versions: MikroTik RouterOS versions 7.1 through 7.11 Description: The issue is related to incorrect access control mechanisms in place for the Rest API, which can allow a remote attacker to disclose protected information. Recommendations: For versions...

PT-2023-3493 · Cisco · Cisco Sd-Wan Vmanage

Name of the Vulnerable Software and Affected Versions: Cisco SD-WAN vManage software affected versions not specified Description: A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read...

CVE-2023-28001

An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API...

Apache StreamPipes Elevation of Privilege Vulnerability

Apache StreamPipes is a self-service industrial IoT toolkit from the Apache USA Foundation that enables non-technical users to connect, analyze and explore IIoT data streams. Apache StreamPipes suffers from an elevation of privilege vulnerability that is caused by failing to properly restrict the...

GHSA-PM73-X2H5-CMJ3 Apache StreamPipes Improper Privilege Management vulnerability

A REST interface in Apache StreamPipes versions 0.69.0 to 0.91.0 was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0...

CVE-2023-31469

A REST interface in Apache StreamPipes versions 0.69.0 to 0.91.0 was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0...

CVE-2023-31469

A REST interface in Apache StreamPipes versions 0.69.0 to 0.91.0 was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0...

CVE-2023-31469 Apache StreamPipes: Privilege escalation through non-admin user

A REST interface in Apache StreamPipes versions 0.69.0 to 0.91.0 was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0...

CVE-2023-31469 Apache StreamPipes: Privilege escalation through non-admin user

A REST interface in Apache StreamPipes versions 0.69.0 to 0.91.0 was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0...

CVE-2023-31469

The CVE-2023-31469 issue affects Apache StreamPipes versions 0.69.0–0.91.0, where a REST interface was not properly restricted to administrator access. This allowed a non-admin user with valid credentials to elevate privileges beyond their roles. Red Hat and other sources corroborate an elevation...