332 matches found
GHSA-3H7Q-RFH9-XM4V Synapse V2 state resolution weakness allows Denial of Service (DoS)
Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database ...
CVE-2024-31208
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31208
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
PYSEC-2024-50
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31208
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31208 Synapse's V2 state resolution weakness allows DoS from remote room members
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31208 Synapse's V2 state resolution weakness allows DoS from remote room members
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31208
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...
CVE-2024-31450 Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
PT-2024-24084 · Owncast · Owncast
Name of the Vulnerable Software and Affected Versions: Owncast versions prior to 0.1.3 Description: Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL "/api/admin". The...
PT-2024-24598 · Tolgee · Tolgee
Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.57.2 through 3.57.3 Description: Tolgee is an open-source localization platform. When an API key created by an admin user is used, it bypasses the permission check at all. Recommendations: For Tolgee versions 3.57.2 through...
CVE-2024-31218 Missing Authentication for Critical Function in Webhood backend
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP reques...
SUSE-SU-2024:0851-1 Security update for axis
This update for axis fixes the following issues: - CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API bsc1218605...
PT-2024-20374 · Jfinalcms · Jfinalcms
Name of the Vulnerable Software and Affected Versions: Jfinalcms version 5.0.0 Description: A SQL injection issue allows a remote attacker to obtain sensitive information. The issue is related to the /admin/admin API endpoint, specifically the name parameter. Recommendations: For Jfinalcms versio...
BIT-MEDIAWIKI-2022-29906
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 omits a check for the quizadmin user...
BIT-MINIO-2020-11012 Authentication bypass MinIO Admin API
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has bee...
BIT-APISIX-2020-13945
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5...
WordPress Plugin Seraphinite Accelerator Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
PT-2024-18139 · WordPress · Seraphinite Accelerator
Name of the Vulnerable Software and Affected Versions: Seraphinite Accelerator plugin for WordPress versions up to, and including, 2.20.52 Description: The issue allows authenticated attackers with subscriber-level access and above to make web requests to arbitrary locations originating from the...
CVE-2024-1703
CVE-2024-1703 affects ZhongBangKeJi CRMEB version 5.2.2, specifically the openfile function in /adminapi/system/file/openfile. The vulnerability is an absolute path traversal in that endpoint, enabling an attacker to access files outside the intended directory. The vulnerability has been disclose...