CVE-2021-41017

CVE-2021-41017 describes multiple heap-based buffer overflow vulnerabilities in FortiWeb’s web API controllers (versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15). The underlying issue is heap-based overflow which may allow a remote authenticated attacker to execute arbitrary code or commands via s...

VulnCheck KEV: CVE-2021-37415

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication...

CVE-2021-43549

A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information...

Information disclosure

A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information...

CVE-2021-43549

CVE-2021-43549 affects the OSIsoft PI Web API. A remote authenticated attacker with write access to a PI Server can lure a user into interacting with a PI Web API endpoint and redirect them to a malicious site, potentially disclosing sensitive information or providing false data. Root cause: impr...

OSIsoft PI Server 跨站脚本漏洞

Osisoft OSIsoft PI is a commercial software application platform based on the Ckient/Server architecture from OSIsoft Osisoft, USA. The platform supports data collection, analysis and visualization, etc. A security vulnerability exists in OSIsoft PI Server, which can be exploited by remote...

OSIsoft PI Server Cross-Site Scripting Vulnerability

Osisoft OSIsoft PI is a commercial software application platform based on the Ckient/Server architecture from OSIsoft Osisoft, USA. The platform supports data collection, analysis and visualization, etc. A security vulnerability exists in OSIsoft PI Server, which can be exploited by remote...

OSIsoft PI Web API

1. EXECUTIVE SUMMARY CVSS v3 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: OSIsoft Equipment: PI Web API Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote authenticated attacker access to sensitive...

CVE-2021-24677

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

TIBCO Software JasperReports Server 竞争条件问题漏洞

Tibco Software TIBCO Software JasperReports Server is an embeddable reporting server from TIBCO Software Tibco Software, Inc. that provides reporting and analytics capabilities that can be embedded into web or mobile devices. A competitive condition issue vulnerability exists in various TIBCO...

Github pcapture 代码问题漏洞

Github pcapture is the project uses Quarkus, the Supersonic Subatomic Java framework. A code issue vulnerability exists in pcapture that allows authenticated but unprivileged users to capture and download packets using the REST API without a capture filter and sufficient privileges...

B.Braun SpaceCom2 代码问题漏洞

The B. Braun SpaceCom2 is a hardware device from B. Braun, Germany, designed to connect to external devices to record data in a patient data management system, PC, or USB memory stick. A security vulnerability exists in versions of the B. Braun SpaceCom2 prior to 012U000062, which allows a remote...

Automating security assessments using Cloud Katana

Today, we are open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. We are currently covering only use cases in Azure, but we are working on extending it to other cloud provider...

Automating security assessments using Cloud Katana

Today, we are open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. We are currently covering only use cases in Azure, but we are working on extending it to other cloud provider...

Huawei DG8045 Authentication Bypass

Title: Huawei dg8045 - Authentication Bypass Date: 2020-06-24 Author: Abdalrahman Gamal Vendor Homepage: www.huawei.com Version: dg8045 Hardware Version: VER.A POC: The default password of this router is the last 8 characters of the device's serial number which exist in the back of the device. An...

CVE-2021-29086

Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager DSM before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors...

Synology DiskStation Manager 信息泄露漏洞

DiskStation Manager DSM is an operating system that runs on all Synology NAS and can be operated through an intuitive web interface. An information disclosure vulnerability exists in the webapi component of Synology DiskStation Manager prior to version 6.2.3-25426-3. A remote attacker can exploit...

PT-2021-18076 · Synology · Synology Diskstation Manager

Name of the Vulnerable Software and Affected Versions: Synology DiskStation Manager DSM versions prior to 6.2.3-25426-3 Description: The issue is related to a Path Traversal vulnerability in the webapi component, allowing remote attackers to write arbitrary files via unspecified vectors...

CVE-2021-3044

An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. This issue impacts: Cortex XSOAR 6.1.0 builds later than 1016923 and earlier th...

CVE-2021-26473

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebserviceo.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server...