345 matches found
CVE-2024-31450 Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
PT-2024-24084 · Owncast · Owncast
Name of the Vulnerable Software and Affected Versions: Owncast versions prior to 0.1.3 Description: Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL "/api/admin". The...
PT-2024-24598 · Tolgee · Tolgee
Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.57.2 through 3.57.3 Description: Tolgee is an open-source localization platform. When an API key created by an admin user is used, it bypasses the permission check at all. Recommendations: For Tolgee versions 3.57.2 through...
CVE-2024-31218 Missing Authentication for Critical Function in Webhood backend
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP reques...
SUSE-SU-2024:0851-1 Security update for axis
This update for axis fixes the following issues: - CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API bsc1218605...
PT-2024-20374 · Jfinalcms · Jfinalcms
Name of the Vulnerable Software and Affected Versions: Jfinalcms version 5.0.0 Description: A SQL injection issue allows a remote attacker to obtain sensitive information. The issue is related to the /admin/admin API endpoint, specifically the name parameter. Recommendations: For Jfinalcms versio...
BIT-MEDIAWIKI-2022-29906
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 omits a check for the quizadmin user...
BIT-MINIO-2020-11012 Authentication bypass MinIO Admin API
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has bee...
BIT-APISIX-2020-13945
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5...
WordPress Plugin Seraphinite Accelerator Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
PT-2024-18139 · WordPress · Seraphinite Accelerator
Name of the Vulnerable Software and Affected Versions: Seraphinite Accelerator plugin for WordPress versions up to, and including, 2.20.52 Description: The issue allows authenticated attackers with subscriber-level access and above to make web requests to arbitrary locations originating from the...
CVE-2024-1703
CVE-2024-1703 affects ZhongBangKeJi CRMEB version 5.2.2, specifically the openfile function in /adminapi/system/file/openfile. The vulnerability is an absolute path traversal in that endpoint, enabling an attacker to access files outside the intended directory. The vulnerability has been disclose...
CRMEB Security Vulnerabilities
Zhongbang CRMEB is an open source e-commerce management system from Zhongbang in Xi'an, China. CRMEB 5.2.2 version of a security vulnerability , the vulnerability stems from the file /adminapi/system/file/openfile function openfile path traversal vulnerability...
PT-2024-18237 · Zhongbangkeji · Crmeb
Name of the Vulnerable Software and Affected Versions: ZhongBangKeJi CRMEB version 5.2.2 Description: A critical issue affects the function save/delete of the file "/adminapi/system/crud". The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The...
IBM Integration Bus 资源管理错误漏洞
IBM Integration Bus IBM WebSphere Message Broker is an enterprise service bus ESB product from International Business Machines IBM. The product provides connectivity and common data transformation for Service Oriented Architecture SOA environments and non-SOA environments. A resource management...
PT-2024-19345 · Ibm · Ibm Integration Bus
Name of the Vulnerable Software and Affected Versions: IBM Integration Bus for z/OS versions 10.1 through 10.1.0.2 Description: The issue is related to a denial of service due to file system exhaustion in the AdminAPI. Recommendations: For versions 10.1 through 10.1.0.2, consider restricting acce...
CVE-2023-52077
Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server...
CVE-2023-48966
An arbitrary file upload vulnerability in the component /admin/api.upload/file of ThinkAdmin v6.1.53 allows attackers to execute arbitrary code via a crafted Zip file...
Design/Logic Flaw
An issue in the component /admin/api.plugs/script of ThinkAdmin v6.1.53 allows attackers to getshell via providing a crafted URL to download a malicious PHP file...
Fedora 38 : matrix-synapse (2023-c3c8cc5f8b)
The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-c3c8cc5f8b advisory. Update to v1.94.0 CVE-2023-45129 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...