XVIDEOS: Unauthenticated API Access Exposing Premium Content and Financial Data

Security Report: Unauthenticated API Access Exposing Premium Content and Financial Data Issue Summary A critical security flaw has been identified on xvideos.red, allowing unrestricted access to premium channels and videos without requiring a paid membership. Normally, these resources should be...

CVE-2024-22422

AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit 08d33cfd8 an unauthenticated API route file export can allow attacker to crash the server resulting in a denial of...

Rockwell Automation Power Monitor 1000 安全漏洞

Rockwell Automation Power Monitor 1000 is a power monitor from Rockwell Automation. A security vulnerability exists in Rockwell Automation Power Monitor 1000 versions prior to 4.020, which can be exploited by an attacker to configure a new policyholder user without any authentication through the...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

WordPress InstaWP Connect plugin <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability

Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability discovered by Truoc Phan in WordPress Plugin InstaWP Connect versions = 0.1.0.38...

PT-2024-7359 · Cfx.Re · Cfx.Re Fxserver

Name of the Vulnerable Software and Affected Versions: Cfx.re FXServer versions v9601 and earlier wpDiscuz affected versions not specified Description: The issue is related to incorrect access control and the failure to neutralize script-related HTML tags on a web page. This can allow a remote...

CVE-2024-33566 WordPress OrderConvo plugin <= 12.4 - Unauthenticated API Access to Arbitrary File Upload vulnerability

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4...

WordPress OrderConvo plugin <= 12.4 - Unauthenticated API Access to Arbitrary File Upload vulnerability

Unauthenticated API Access to Arbitrary File Upload vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin OrderConvo versions = 12.4...

CVE-2023-6777 WP Go Maps (formerly WP Google Maps) <= 9.0.34 - Information Exposure to Potential Denial of Service

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's...

CVE-2023-4605

A valid authenticated Lenovo XClarity Administrator LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information...

CVE-2023-4605

A valid authenticated Lenovo XClarity Administrator LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information...

CVE-2023-4605

A valid authenticated Lenovo XClarity Administrator LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information...

CVE-2023-4605

The CVE-2023-4605 case describes an vulnerability in Lenovo XClarity Administrator (LXCA) where a valid authenticated LXCA user can potentially leverage an unauthenticated API endpoint to retrieve system event information. Affected component: LXCA’s API surface exposing system event data. Root ca...

Tramyardg Autoexpress 1.3.0 Authentication Bypass Vulnerability

Tramyardg Autoexpress version 1.3.0 allows for authentication bypass via unauthenticated API access to admin functionality. This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles. Exploit Title: tramyardg autoexpress - Authentication Bypass...

Tramyardg Autoexpress 1.3.0 Authentication Bypass

Exploit Title: tramyardg autoexpress - Authentication Bypass Google Dork: N/A Date: 11/28/2023 Exploit Author: Scott White Vendor Homepage: https://github.com/tramyardg/autoexpress Version: v1.3.0 Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52 CVE : CVE-2023-48902 References:...

CVE-2024-22422

AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit 08d33cfd8 an unauthenticated API route file export can allow attacker to crash the server resulting in a denial of...

CVE-2024-22422

CVE-2024-22422 affects AnythingLLM. The vulnerability is in the public, unauthenticated data-export API route that uses the filename parameter to export files. A crafted input can bypass directory-filtering and crash the server when the export is deleted, yielding an unauthenticated Denial of Ser...

The vulnerability in the Web interface of the Cisco Unity Connection system allows a perpetrator to execute arbitrary commands with root privileges.

The vulnerability of the Cisco Unity Connection messaging system’s web management interface is related to the lack of authentication in the application programming interface. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands with root privileges by loading...

PT-2024-2582 · Lenovo · Lenovo Xclarity Administrator

Name of the Vulnerable Software and Affected Versions: Lenovo XClarity Administrator affected versions not specified Description: The issue is related to information disclosure and can be exploited by a remote attacker to gain unauthorized access to an API endpoint without authentication. A valid...