CVE-2020-5943

CVE-2020-5943 affects F5 BIG-IP when using the iControl REST interface. In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, protected fields are obfuscated in REST responses instead of being protected by a SecureVault cryptogram (unlike TMSH), potentially exposing sensitive data such as the GTM mo...

CVE-2020-5943

In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password...

VulnCheck KEV: CVE-2020-26876

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step for course videos and materials by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because showinrest is enabled for custom post types e.g.,...

CVE-2020-15374

Rest API in Brocade Fabric OS v8.2.1 through v8.2.1d, and 8.2.2 versions before v8.2.2c is vulnerable to multiple instances of reflected input...

McAfee Web Gateway Elevation of Privilege Vulnerability (CNVD-2020-52199)

McAfee Web Gateway is a high-performance secure Web gateway with best-in-class threat protection in a unified appliance software architecture. An elevation of privilege vulnerability exists in McAfee Web Gateway versions prior to 9.2.1. The vulnerability stems from improper access control of the...

CVE-2020-7294

Privilege Escalation vulnerability in McAfee Web Gateway MWG prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface...

CVE-2020-7294

Privilege Escalation vulnerability in McAfee Web Gateway MWG prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface...

Privilege escalation

Privilege Escalation vulnerability in McAfee Web Gateway MWG prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface...

CVE-2020-7294

CVE-2020-7294 affects McAfee Web Gateway (MWG) prior to 9.2.1. The issue is an elevation of privilege due to improper access controls in the REST interface, allowing an authenticated UI user to delete or download protected files. Root cause: REST interface access control weaknesses. Impact: privi...

CVE-2020-7294 Web Gateway (MWG) - Privilege Escalation vulnerability

Privilege Escalation vulnerability in McAfee Web Gateway MWG prior to 9.2.1 allows authenticated user interface user to delete or download protected files via improper access controls in the REST interface...

Infinispan: REST and HotRod APIs unsecured locally by default

A flaw was found in Infinispan org.infinispan:infinispan-server-runtime version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion...

CVE-2020-3386

A vulnerability in the REST API endpoint of Cisco Data Center Network Manager DCNM could allow an authenticated, remote attacker with a low-privileged account to bypass authorization on the API of an affected device. The vulnerability is due to insufficient authorization of certain API functions...

Cisco Data Center Network Manager Command Injection Vulnerability

Cisco Data Center Network Manager DCNM is a data center management system from Cisco. The system works with Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting. A security vulnerability exists in the REST API endpoint in Cisco DCNM versions...

keycloak: cross-realm user access auth bypass

A flaw was found in the Keycloak REST API where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks...

The vulnerability of the class-wp-rest-posts-controller function in the WordPress content management system, related to insecure privilege management, allows attackers to compromise data integrity.

The vulnerability of the class-wp-rest-posts-controller function in the WordPress content management system is related to an authentication error that allowed users to mark messages as fixed through the REST API. Exploiting this vulnerability could enable a malicious actor to compromise data...

CVE-2020-3248

Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section o...

SSRF Vulnerability in Kong API Gateway Admin Rest API

Kong API Gateway is one of the most popular cloud-native API gateways, with two branches, open source and enterprise, which is widely used as API access middleware for cloud-native, microservice, and service-less cloud function scenarios, providing cloud-native applications with authentication,...

HackerOne: GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend

HackerOne exposes a small number of ActiveResource objects through its GraphQL node interface. ActiveResource objects use HTTP as transport layer in order to fetch data. Four of these models, TaxForm, Payout, Payment, and PayoutPreference are fetched from an internal Payments backend system with ...

Cisco Data Center Network Manager SOAP API Authentication Bypass Vulnerability

Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A SOAP API authentication bypass vulnerability exists in Cisco Data Center Network...

UBUNTU-CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...