CVE-2024-24830 OpenObserve Privilege Escalation Vulnerability in Users API

OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/orgid/users" endpoint. This vulnerability allows any authenticated regular user 'member' to add new users with...

ROS-20231109-02

Vulnerability in GLPI's request and incident handling system is related to information disclosure. Exploitation exploitation of the vulnerability could allow a remote attacker to obtain user logins. GLPI request and incident handling system vulnerability related to the lack of path filtering by...

PT-2025-40138

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw related to GPIO character device handling. Specifically, a NULL-pointer dereference can occur when requesting lines, unbinding the GPIO device, and then...

CVE-2023-0683

A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call...

Unlocking Serverless with AWS Lambda and IAM

Learn how Lambda and IAM unlock the power and versatility of the cloud by implementing a serverless User API that can be expanded on as you grow and explore the many services on AWS...

Design/Logic Flaw

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users...

GHSA-CG54-GPGR-4RM6 user-readable api tokens in systemd units for JupyterHub

Impact user API tokens issued to single-user servers are specified in the environment of systemd units, which are accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. Patches Patched in jupyterhub-systemdspawner v0.15 Workarounds No...

PT-2020-14375 · Zyxel · Zyxel Cloudcnm Secumanager

Name of the Vulnerable Software and Affected Versions: Zyxel CloudCNM SecuManager versions 3.1.0 through 3.1.1 Description: The issue concerns an unauthenticated API, specifically the "zy install user" API endpoint. This allows for unauthorized access. Recommendations: For versions 3.1.0 and 3.1....

UPDATE: Empire 3.1.0

Empire 3.1.0 was released a few hours ago! If you remember, I briefly mentioned about this tool in my five month old post titled – List of Open Source C2 Post-Exploitation Frameworks. It’s a very good thing that, BC-Security has taken over the development of the tool and has made some awesome...

CVE-2019-1020017

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP...

Code injection

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP...

CVE-2019-1020017

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP...

CVE-2019-1020017

CVE-2019-1020017 affects Discourse prior to 2.3.0 and 2.4.x prior to 2.4.0.beta3, where logging in via a user-api OTP lacks a confirmation screen. The vulnerability originates from improper flow gating during OTP-based login, enabling potential unintended access without explicit user confirmation...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

Authorization

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

CVE-2017-18376

The Hive vulnerability CVE-2017-18376 is an improper authorization check in the User API (app/controllers/UserCtrl.scala) that lets users with read-only or read/write access escalate to administrator privileges. Affected versions are TheHive before 2.13.4 and 3.x before 3.3.1. Impact details indi...

UBUNTU-CVE-2016-4565

The InfiniBand aka IB stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service kernel memory write operation or possibly have unspecified other impact via a uAPI interface...

[CVE-2013-1814] Apache Rave exposes User over API

CVE-2013-1814: Apache Rave exposes User over API Severity: Important Vendor: The Apache Software Foundation Versions Affected: Rave 0.11 to 0.20 Description: Rave returns the full user object, including the salted and hashed password, via the User RPC API. This endpoint is only available to...