54 matches found
CVE-2024-5827 Arbitrary File Write by Prompt Injection via DuckDB SQL in vanna-ai/vanna
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...
CVE-2024-5827
Vanna v0.3.4 is affected by an SQL injection in the DuckDB integration exposed through its Flask Web APIs. The vulnerability allows attackers to inject malicious SQL training data and craft queries that can write arbitrary files to the file system (e.g., backdoor.php with contents ), potentially ...
PT-2024-5388 · Duckdb +2 · Duckdb +2
Name of the Vulnerable Software and Affected Versions: Vanna version 0.3.4 Description: The issue is related to the Vanna framework's web interface, specifically with its integration of DuckDB and Flask Web APIs. It allows for SQL injection, enabling attackers to inject malicious SQL training dat...
CVE-2023-37899
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...
Design/Logic Flaw
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like const message = $ toString: '' which would cause the NodeJS process to crash when sending an unexpected Socket.io...
CVE-2023-33244
Obsidian before 1.2.2 allows calls to unintended APIs for microphone access, camera access, and desktop notification via an embedded web page...
PT-2023-1633 · Unknown · Mxsecurity
Name of the Vulnerable Software and Affected Versions: MXsecurity version 1.0 Description: The issue is related to hardcoded credentials in MXsecurity, which can be exploited to craft arbitrary JWT tokens and bypass authentication for web-based APIs. This allows a remote attacker to elevate their...
[SECURITY] [DSA 5186-1] djangorestframework security update
------------------------------------------------------------------------- Debian Security Advisory DSA-5186-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 22, 2022 https://www.debian.org/security/faq -...
10 Years Journey into API Security Vulnerabilities with Ivan, the CEO of Wallarm
Ivan Novikov, CEO at Wallarm, is an API security expert, bug hunter, security researcher, and blackhat speaker with 24 years of experience in the cybersecurity field. He spent decades in this industry and witnessed exploits as well as growth. Read ahead to understand Ivan’s API Security journey a...
The vulnerability of Google Chrome’s web APIs, related to the use of memory after it is freed, allows attackers to circumvent existing security restrictions by using a specially created HTML page.
The vulnerability of Google Chrome’s web APIs is related to the use of memory after it is freed. Exploiting this vulnerability allows a malicious actor to bypass existing security restrictions by using a specially created HTML page...
CVE-2020-17520
In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager's admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API...
Improper Access Control
chromium is vulnerable to improper access control. The vulnerability exists due to insufficient protection of permission UI in WebAPKs in Google Chrome, allowing an attacker who convinced the user to install a malicious application to access web APIs via a crafted APK...
Aviatrix Systems Controller 代码问题漏洞
Aviatrix Controller is a centralized control panel for orchestrating and managing various network and connectivity solutions. An arbitrary file upload vulnerability exists in Aviatrix Controller versions prior to R6.0.2483. The vulnerability stems from several APIs that contain functionality that...
Mattermost Desktop App Access Control Error Vulnerability
Mattermost Desktop App is a messaging desktop application from Mattermost USA. An Access Control Error vulnerability exists in Mattermost Desktop App versions prior to 4.4.0, which stems from the program's failure to properly handle the same-origin policy and can be exploited by an attacker to...
CVE-2020-14456
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006...
CVE-2020-14456
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006...
CVE-2020-14456
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006...
Roblox: Insecure redirect rule results in bypassing ban redirect on certain pages
Description Account bans on Roblox work via redirect rules. If an user attempts go to a page that's outside a whitelisted set of rules, they'll be redirected back to the ban page. After researching, I've found that the following rules are whitelisted and bypass this redirect: - Any URLs ending in...
DEBIAN-CVE-2019-5767
Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK...
CVE-2019-5767
Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK...