332 matches found
ZrLog Directory Traversal Vulnerability
ZrLog is a blogging system developed using the Java language. A directory traversal vulnerability exists in ZrLog version 2.1.15, which stems from a lack of validity checking of paths in the admin.api.TemplateController deletion function when processing directory requests, and can be exploited by...
CVE-2020-27514
Directory Traversal vulnerability in delete function in admin.api.TemplateController in ZrLog version 2.1.15, allows remote attackers to delete arbitrary files and cause a denial of service DoS...
Authorization Bypass
matrix-synapse is vulnerable to Authorization Bypass. The vulnerability exists because it does not properly validate the deactivated status of users during login time. which allows a user to login even if there account is deactivated. Note that this vulnerability only applies if JSON Web Tokens a...
CVE-2023-32682
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...
Design/Logic Flaw
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...
PYSEC-2023-84
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...
CVE-2023-32682
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...
CVE-2023-32682
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...
GHSA-26C5-PPR8-F33P Synapse has improper checks for deactivated users during login
Impact It may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: JSON Web Tokens are enabled for login via the jwtconfig.enabled configuration setting The local password database is enabled via the...
Synapse has improper checks for deactivated users during login
Impact It may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: JSON Web Tokens are enabled for login via the jwtconfig.enabled configuration setting The local password database is enabled via the...
PT-2023-17114 · Zhong Bang · Crmeb
Name of the Vulnerable Software and Affected Versions: Zhong Bang CRMEB Java versions up to 1.3.4 Description: A critical issue affects the function getAdminList of the file "/api/admin/store/product/list". The manipulation of the argument cateId leads to sql injection. The attack can be initiate...
PT-2023-16986 · Meizhou Qingyunke · Qykcms
Name of the Vulnerable Software and Affected Versions: Meizhou Qingyunke QYKCMS version 4.3.0 Description: A vulnerability was found in the Update Handler component of Meizhou Qingyunke QYKCMS, affecting an unknown part of the file /admin system/api.php. The manipulation of the downurl argument...
keycloak: HTML injection in execute-actions-email Admin REST API
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users...
GHSA-M4FV-GM5M-4725 HTML Injection in Keycloak Admin REST API
The execute-actions-email endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users...
SUSE CVE-2012-3542
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex 2012.1, allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly...
SUSE CVE-2017-16818
RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...
Cross site scripting
A vulnerability was found in Shoplazza LifeStyle 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/api/theme-edit/ of the component Product Handler. The manipulation of the argument Subheading/Heading/Text/Button Text/Label leads to cross...
PT-2022-8678 · Optilink · Optilink Op-Xt71000N
Name of the Vulnerable Software and Affected Versions: OPTILINK OP-XT71000N version V2.2, Firmware Version: OP V3.3.1-191028 Description: A remote attacker can conduct a cross-site request forgery CSRF attack due to insufficient CSRF protections for the "mgm config file.asp" file. This allows an...
Strapi SQL Injection Vulnerability
Strapi is an open source content management system CMS. versions of Strapi prior to 3.6.10 and 4.0.0 and later, and prior to 4.1.10, contain a SQL injection vulnerability that stems from its incorrect handling of hidden attributes in admin API responses. An attacker could exploit the vulnerabilit...
Information Disclosure
strapi is vulnerable to information disclosure. The vulnerability exists due to a lack of sanitization of the attributes within admin API responses allowing an attacker to exploit the vulnerability use the information for malicious intent...