Cross site scripting

The SOAP Admin API component of TIBCO Software Inc.'s TIBCO Silver Fabric contains a vulnerability that may allow reflected cross-site scripting XSS attacks. Affected releases are TIBCO Software Inc.'s TIBCO Silver Fabric: versions up to and including 5.8.1...

CVE-2018-12409

The SOAP Admin API component of TIBCO Software Inc.'s TIBCO Silver Fabric contains a vulnerability that may allow reflected cross-site scripting XSS attacks. Affected releases are TIBCO Software Inc.'s TIBCO Silver Fabric: versions up to and including 5.8.1...

TIBCO Security Advisory: February 13, 2019 - TIBCO SilverFabric

TIBCO Silver Fabric Vulnerable to Reflected Cross-Site Scripting attacks Original release date: February 13,2019 Last revised: CVE-2018-12409 Source: TIBCO Software Inc. TIBCO Silver Fabric Vulnerable to Reflected Cross-Site Scripting attacks Original release date: February 13, 2019 Last revised:...

Authentication Bypass

github.com/minio/minio is vulnerable to authentication bypass attacks. The vulnerability exists as attackers can modify pre-signed signature V2 requests to make Admin-API calls...

Authentication flaw

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

CVE-2017-16818

RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticated users to cause a denial of service assertion failure and application exit by leveraging "full" not necessarily admin privileges to post an invalid profile to the admin API, related to rgw/rgwiampolicy.cc, rgw/rgwbasictypes.h,...

WordPress 4.5.x < 4.6 Multiple Vulnerabilities

Binary data 9949.prm...

WordPress Admin API Directory Traversal (CVE-2016-6896)

A directory traversal vulnerability has been reported in WordPress. This vulnerability is due to incorrect validation of a user supplied path for directory traversal characters. An authenticated user with subscriber privileges could exploit this vulnerability by sending specially crafted requests...

WordPress < 4.6 Multiple Vulnerabilities

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.6. It is, therefore, affected by multiple vulnerabilities : - A path traversal vulnerability exists in the WordPress Admin API in the wpajaxupdateplugin function in...

WordPress Core 4.5.3 - Directory Traversal / Denial of Service

Path traversal vulnerability in WordPress Core Ajax handlers Abstract A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can potentially be used by an authenticated user Subscriber to create a denial of service condition of an affected...

WordPress <= 4.5.3 - Path traversal

WordPress prior to 4.5.3 is prone to a path traversal vulnerability. It was found in the Core Ajax handlers of the WordPress Admin API. Solution Update WordPress to 4.6...

New Relic: CSRF - Regenerate all admin api keys

Hi The request to regenerate all admin api keys is a GET request without CSRF protection. As such, you can regenerate someone's keys using csrf. While not too big of an issue the admin can always see the keys and use them its certainly annoying and can cause business disruption. Additionally, a...

Toxy - Hackable Http Proxy To Simulate Server Failure Scenarios And Network Conditions

Toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions , built for node.js / io.js . It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency...

ColdFusion 9-10 - Credential Disclosure Exploit

ColdFusion...

2012.1.1: fails to validate tokens in Admin API

The 1 OS-KSADM/services and 2 tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services...

Keystone: Lack of authorization for adding users to tenants

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex 2012.1, allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly...