371 matches found
CVE-2020-25966
Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value. NOTE: The vendo...
PT-2020-16257 · Sectona · Sectona Spectra
Name of the Vulnerable Software and Affected Versions: Sectona Spectra versions prior to 3.4.0 Description: The issue concerns a vulnerable SOAP API endpoint that leaks sensitive information about configured assets without proper authentication. This could be exploited by unauthorized parties to...
Cisco Data Center Network Manager Command Injection (cisco-sa-20200102-dcnm-comm-inject)
According to its self-reported version, Cisco Data Center Network Manager is affected by a command injection vulnerability in the REST and SOAP API endpoints due to a failure to properly validate user-supplied input. An authenticated, remote attacker with administrative privileges can exploit thi...
Command Execution Vulnerability in Multiple IBM Products
IBM Aspera is a set of fast file transfer and streaming solutions built on the IBM FASP protocol from IBM in the United States. A command execution vulnerability exists in multiple IBM products. An attacker could exploit this vulnerability to execute commands in the SOAP API...
CVE-2020-4432
Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810...
Command injection
Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810...
CVE-2020-4432
Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810...
CVE-2019-12511
In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled...
CVE-2019-12510
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...
Authentication flaw
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...
CVE-2019-12511 Root Command Injection via MAC Address in SOAP API
In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled...
CVE-2019-12510
Netgear Nighthawk X10-R9000 devices with firmware
CVE-2019-12510 Auth Bypass Via X-Forwarded-For Header in SOAP API
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API "/soap/serversa" by supplying a malicious X-Forwarded-For header of the device's LAN IP address 192.168.1.1 in every request. As a result, an attacker may...
CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module...
CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module...
Sql injection
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module...
CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module...
CVE-2020-8804
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module...
CVE-2020-8804
CVE-2020-8804 affects SuiteCRM up to version 7.11.10, where multiple SQL Injection vulnerabilities exist in the SOAP API, the EmailUIAjax interface, and the MailMerge module. The root cause is unsanitized user input used to construct SQL queries (e.g., in set_entries() via name_value_lists and in...
PT-2020-20293 · Salesagility · Suitecrm
Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.11.11 Description: The issue allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. Recommendations: For versions prior to 7.11.11, update to version 7.11.11 or later to resolve...