JVN#26225832: EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting

EC-CUBE plugin for EC-CUBE 4 series "EC-CUBE Web API Plugin" provided by EC-CUBE CO.,LTD. contains a stored cross-site scripting vulnerability CWE-79 in OAuth Management feature. Impact When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the...

PT-2024-29291 · Ec Cube · Ec-Cube Web Api Plugin

Name of the Vulnerable Software and Affected Versions: EC-CUBE Web API Plugin affected versions not specified Description: A stored cross-site scripting issue exists in the EC-CUBE Web API Plugin. When multiple users utilize the OAuth Management feature and one user inputs a crafted value on the...

CVE-2024-6922

Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service port 443 or HTTP service port 80 can trigger arbitrary web requests from the server...

CVE-2024-6922 Server-Side Request Forgery in Automation 360

Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service port 443 or HTTP service port 80 can trigger arbitrary web requests from the server...

CVE-2024-6922

Automation Anywhere Automation 360 is affected by an unauthenticated Server-Side Request Forgery (SSRF) in its web API component for v21–v32. The issue allows an attacker with access to the Control Room (HTTPS/HTTP) to elicit arbitrary requests from the server, potentially reaching internal servi...

CVE-2024-6922 Server-Side Request Forgery in Automation 360

Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service port 443 or HTTP service port 80 can trigger arbitrary web requests from the server...

Unspecified Vulnerability in Siemens SINEMA Remote Connect Server (CNVD-2024-31248)

Siemens SINEMA Remote Connect Server is a remote network management platform from Siemens, Germany. The platform is used to remotely access, maintain, control and diagnose the underlying network. A security vulnerability exists in Siemens SINEMA Remote Connect Server because the affected...

CVE-2024-39873

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.2 SP1. The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force...

CVE-2024-39873

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.2 SP1. The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force...

CVE-2024-39873

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.2 SP1. The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force...

CVE-2024-39873

Summary: CVE-2024-39873 affects Siemens SINEMA Remote Connect Server (all versions before V3.2 SP1). The security issue is a failure to properly implement brute-force protection on the web API authentication, which could allow an attacker to learn user credentials vulnerable to brute force attack...

Siemens SINEMA Remote Connect Server 安全漏洞

Siemens SINEMA Remote Connect Server is a remote network management platform from Siemens, Germany. The platform is used to remotely access, maintain, control and diagnose the underlying network. A security vulnerability exists in Siemens SINEMA Remote Connect Server because the affected...

CVE-2024-38518 bbb-web API additional parameters considered

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an...

Malicious code in http-api-lookup (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in aspnet-webapi-auth (npm)

--- -= Per source details. Do not edit below this line.=-...

The vulnerability of the System webapi component of the Surveillance Station application allows a intruder to elevate their privileges.

The vulnerability of the System webapi component of the Surveillance Station application is related to deficiencies in access control. Exploiting this vulnerability could allow an attacker operating remotely to enhance their privileges...

CVE-2024-34103 Customer account takeover via web API call & subsequent password reset

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application...

CVE-2024-34103 Customer account takeover via web API call & subsequent password reset

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application...

CVE-2024-3468

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker...

CVE-2024-3468 Deserialization of Untrusted Data in AVEVA PI Web API

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker...