Synapse has improper checks for deactivated users during login

Impact It may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: JSON Web Tokens are enabled for login via the jwtconfig.enabled configuration setting The local password database is enabled via the...

GHSA-26C5-PPR8-F33P Synapse has improper checks for deactivated users during login

Impact It may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: JSON Web Tokens are enabled for login via the jwtconfig.enabled configuration setting The local password database is enabled via the...

PT-2023-17114 · Zhong Bang · Crmeb

Name of the Vulnerable Software and Affected Versions: Zhong Bang CRMEB Java versions up to 1.3.4 Description: A critical issue affects the function getAdminList of the file "/api/admin/store/product/list". The manipulation of the argument cateId leads to sql injection. The attack can be initiate...

PT-2023-16986 · Meizhou Qingyunke · Qykcms

Name of the Vulnerable Software and Affected Versions: Meizhou Qingyunke QYKCMS version 4.3.0 Description: A vulnerability was found in the Update Handler component of Meizhou Qingyunke QYKCMS, affecting an unknown part of the file /admin system/api.php. The manipulation of the downurl argument...

keycloak: HTML injection in execute-actions-email Admin REST API

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users...

GHSA-M4FV-GM5M-4725 HTML Injection in Keycloak Admin REST API

The execute-actions-email endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users...

SUSE CVE-2012-3542

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex 2012.1, allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly...

SUSE CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

Cross site scripting

A vulnerability was found in Shoplazza LifeStyle 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/api/theme-edit/ of the component Product Handler. The manipulation of the argument Subheading/Heading/Text/Button Text/Label leads to cross...

PT-2022-8678 · Optilink · Optilink Op-Xt71000N

Name of the Vulnerable Software and Affected Versions: OPTILINK OP-XT71000N version V2.2, Firmware Version: OP V3.3.1-191028 Description: A remote attacker can conduct a cross-site request forgery CSRF attack due to insufficient CSRF protections for the "mgm config file.asp" file. This allows an...

Strapi SQL Injection Vulnerability

Strapi is an open source content management system CMS. versions of Strapi prior to 3.6.10 and 4.0.0 and later, and prior to 4.1.10, contain a SQL injection vulnerability that stems from its incorrect handling of hidden attributes in admin API responses. An attacker could exploit the vulnerabilit...

Information Disclosure

strapi is vulnerable to information disclosure. The vulnerability exists due to a lack of sanitization of the attributes within admin API responses allowing an attacker to exploit the vulnerability use the information for malicious intent...

GHSA-4PHG-HPQM-C3J4 Strapi mishandles hidden attributes within admin API responses

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...

Strapi mishandles hidden attributes within admin API responses

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...

CVE-2022-31367

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...

Design/Logic Flaw

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...

CVE-2022-31367

Strapi CMS (versions prior to 3.6.10 and 4.x prior to 4.1.10) is affected by a SQL injection vulnerability caused by incorrect handling of hidden attributes in admin API responses. This design/logic flaw allows an attacker to exfiltrate database data. Remediation: upgrade to Strapi 3.6.10 or 4.1....

CVE-2022-31367

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...

PT-2022-20719 · Strapi · Strapi

Name of the Vulnerable Software and Affected Versions: Strapi versions 3.x through 3.6.9 Strapi versions 4.x through 4.1.9 Description: The issue concerns the mishandling of hidden attributes within admin API responses. Recommendations: For Strapi versions 3.x through 3.6.9, update to version...

PT-2022-23199

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 0.15.1 Description The issue is related to Improper Authorization functions, which allow non-privileged users to run privileged API calls. If users without admin privileges are added to the Netmaker platform, they ca...