83 matches found
CVE-2023-41319 Remote Code Execution in Custom Integration Upload in Fides
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML...
SQL injection in API authorization check
Description TeamPass /authorize API endpoint is vulnerable to SQL injection in the login field. It is possible to forge an arbitrary Blowfish hash and use it in the query to bypass the password verification check. Using the same query it is possible to define an arbitrary apikey value too: "login...
CVE-2022-3876 Click Studios Passwordstate API authorization
A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This issue affects some unknown processing of the file /api/browserextension/UpdatePassword/ of the component API. The manipulation of the argument...
CVE-2022-34770
Tabit - sensitive information disclosure. Several APIs on the web system display, without authorization, sensitive information such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits. Each of the described API’s, has in its URL one or more MongoD...
CVE-2022-25237
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API...
Privilege escalation in easyappointments
The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...
GHSA-7F62-4887-CFV5 Privilege escalation in easyappointments
The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...
Cisco SD-WAN vManage Software Information Disclosure Vulnerability (CNVD-2022-46480)
Cisco SD-WAN vManage Software is a management software for SD-WAN Software Defined Wide Area Network solutions from Cisco, U.S. An information disclosure vulnerability exists in Cisco SD-WAN vManage Software, which stems from insufficient checks of API authorization to the underlying operating...
API Privilege Escalation
Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...
CVE-2022-20747
The CVE-2022-20747 concern is Cisco SD-WAN vManage Software Information Disclosure via the History API. Root cause: insufficient API authorization checks on the underlying OS, enabling an authenticated, lower-privileged user to access sensitive information. Affected component: History API in Cisc...
CVE-2022-20747 Cisco SD-WAN vManage Software Information Disclosure Vulnerability
A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker cou...
Cisco SD-WAN vManage Software Information Disclosure (cisco-sa-sdwan-vman-infodis-73sHJNEq)
According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the History API of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system. This vulnerabili...
Design/Logic Flaw
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...
Cisco Connected Mobile Experiences User Enumeration Vulnerability
Cisco Connected Mobile Experiences CMX is an intelligent Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics to consumers' mobile devices. A user enumeration vulnerability exists in API authorization for Cisco Connected Mobile Experiences...
CVE-2021-1143
A vulnerability in Cisco Connected Mobile Experiences CMX API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this...
Design/Logic Flaw
A vulnerability in Cisco Connected Mobile Experiences CMX API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system. The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this...
Cisco Connected Mobile Experiences (CMX) 访问控制错误漏洞
Cisco Connected Mobile Experiences CMX is an intelligent Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics to consumers' mobile devices. A user enumeration vulnerability exists in API authorization for Cisco Connected Mobile Experiences...
CVE-2020-13284
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...
UBUNTU-CVE-2020-13284
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...
CVE-2020-13284
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. API Authorization Using Outdated CI Job Token...