F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems

Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems. The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and...

RSA Archer 安全漏洞

RSA Archer is an enterprise IT governance and compliance governance product from RSA UK, including policy, risk and compliance definition and management. It is able to aggregate all of our enterprise assets, as well as some of the monitored information, and organize it into a unified platform,...

CVE-2021-45966

An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters...

Linux jss 安全漏洞

ruby-jss is a Ruby framework for interacting with the JAMF Software Server JSS REST API. A security vulnerability exists in Linux jss that stems from a memory leak in a software TLS connection leading to an object serialization issue...

Juniper Networks Contrail Service Orchestration 访问控制错误漏洞

Juniper Networks Contrail Service Orchestration is a robust software platform from Juniper Networks USA, Inc. used to connect many enterprise and multi-tenant service provider solutions. Juniper Networks Contrail Service Orchestration suffers from an access control error vulnerability that stems...

PT-2022-11674 · Unknown · Beaver Builder

Name of the Vulnerable Software and Affected Versions: Beaver Builder versions prior to 2.5.0.4 Description: The issue allows attackers to bypass the visibility controls protection mechanism. This can be achieved via the REST API. Recommendations: For versions prior to 2.5.0.4, update to version...

PT-2022-5003 · Mediawiki +1 · Mediawiki +1

Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.5 MediaWiki versions 1.36.x prior to 1.36.3 MediaWiki versions 1.37.x prior to 1.37.1 Description: An issue was discovered in the REST API of MediaWiki, which publicly caches results from private wikis,...

CVE-2021-34582

In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 and 1.5.0 a user with high privileges can inject HTML code XSS through web-based management or the REST API with a manipulated certificate file...

VulnCheck KEV: CVE-2021-39341

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the loggedinorhasapikey function in the /OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on...

WordPress 插件 安全漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin Ninja Forms 3.5.7 and earlier versions, where an authenticated attacker could export all Ninja Forms submissions, which may contain personally identifiable information, via...

CVE-2021-32836

ZStack is open source IaaSinfrastructure as a service software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be...

Parse Server 授权问题漏洞

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An authorization issue vulnerability exists in versions of Parse Server prior to 4.5.1 that stems from the server incorrectly creating a session when an anonymous user registers with REST for t...

apache-flink: directory traversal attack allows remote file writing through the REST API

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or...

CVE-2021-27794

A vulnerability in the authentication mechanism of Brocade Fabric OS versions before Brocade Fabric OS v.9.0.1a, v8.2.3a and v7.4.2h could allow a user to Login with empty password, and invalid password through telnet, ssh and REST...

apache-flink: directory traversal attack allows remote file writing through the REST API

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or...

The vulnerability of the REST API implementation in software for managing Cisco Firepower Device Manager On-Box allows a attacker to execute arbitrary code or perform arbitrary commands.

The vulnerability of the REST API implementation in software for managing Cisco Firepower Device Manager On-Box is related to improper code generation. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands or run arbitrary code using a specially crafted HTTP request...

jenkins: lack of type validation in agent related REST API

A flaw was found in Jenkins. Due to lack of validation of type of object created after loading the data submitted to the config.xml REST API endpoint of a node, an attackers with Computer/Configure permission are able to replace a node with one of a different type...

CVE-2021-26081

REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the /rest/api/latest/user/avatar/temporary endpoint...

CVE-2021-31831

Incorrect access to deleted scripts vulnerability in McAfee Database Security DBSec prior to 4.8.2 allows a remote authenticated attacker to gain access to signed SQL scripts which have been marked as deleted or expired within the administrative console. This access was only available through the...

CVE-2020-9450

An issue was discovered in Acronis True Image 2020 24.5.22510. antiransomwareservice.exe exposes a REST API that can be used by everyone, even unprivileged users. This API is used to communicate from the GUI to antiransomwareservice.exe. This can be exploited to add an arbitrary malicious...