813 matches found
Denial Of Service (DoS)
grpc-ts-health-check is vulnerable to denial of service DoS. The attack is possible as it does not protect its API endpoints, causing failure of service's health and thereby allowing Kubernetes to block traffic to services with a failing status...
CVE-2019-5630
A Cross-Site Request Forgery CSRF vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request...
Cross site request forgery (csrf)
A Cross-Site Request Forgery CSRF vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request...
CVE-2019-5630
CVE-2019-5630 affects Rapid7 Nexpose InsightVM Security Console. The vulnerability is a Cross-Site Request Forgery (CSRF) in API endpoints that can be exploited via Flash to bypass a cross-domain pre-flight OPTIONS request. Affected versions are 6.5.0 through 6.5.68. The issue arises from insuffi...
CVE-2019-5630 Rapid7 Nexpose/InsightVM Security Console CSRF
A Cross-Site Request Forgery CSRF vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request...
ZEIT: Access control bypass leads to domain information disclosure
Summary: By leveraging the domain verification endpoint I can obtain sensitive information about the user who registered the domain within the zeit UI including username, email address, userId, and customerId. In addition, some high level information about the domain is included as well such as...
Command Injection
expressfs is susceptible to command injection. The attacker can inject arbitrary commands because it does not properly escape inputs provided by the users through the following API endpoints : expressfs.appendFile, expressfs.cp, expressfs.create and expressfs.rmdir...
Command Injection
Overview All versions of expressfs are vulnerable to Command Injection. The package does not validate user input on several API endpoints, allowing attackers to run arbitrary commands in the system. The affected endpoints are: expressfs.appendFile, expressfs.cp, expressfs.create and...
Design/Logic Flaw
An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is...
CVE-2018-15658
CVE-2018-15658 affects 42Gears SureMDM (pre-2018-11-27). The issue arises when session validation runs after initial markup on /console/ConsolePage/Master.html, allowing an attacker to view the markup that would be shown to an authenticated user and, per the vulnerability description, access unpr...
CVE-2018-15658
An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is...
Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
Exploit for php platform in category web applications ======================================================================= title: SQL Injection, XSS & CSRF vulnerabilities product: Pimcore vulnerable version: 5.2.3 and below fixed version: 5.3.0 CVE number: CVE-2018-14057, CVE-2018-14058,...
PT-2018-1311 · Microsoft +3 · Ie +5
Name of the Vulnerable Software and Affected Versions: Microsoft Windows VBScript Engine versions prior to the fixed version Description: A remote code execution issue exists in the way the VBScript engine handles objects in memory. This allows remote attackers to execute arbitrary code and affec...
CVE-2016-9880
The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker...
Authentication flaw
The GemFire broker for Cloud Foundry 1.6.x before 1.6.5 and 1.7.x before 1.7.1 has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker...
PT-2018-18068 · Zzcms · Zzcms
Name of the Vulnerable Software and Affected Versions: zzcms version 8.2 Description: The issue allows remote attackers to discover the full path via a direct request to "3/qq connect2.0/API/class/ErrorCase.class.php" or "3/ucenter api/code/friend.php". Recommendations: For zzcms version 8.2, as ...
JetBrains IntelliJ-based IDEs <= 2016.1 Multiple Vulnerabilities - Active Check
JetbBains IntelliJ-based IDEs are prone to a remote code execution RCE and a local file disclosure vulnerability. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...
CVE-2016-3723
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints...
Updated jenkins-remoting packages fix CVE-2016-0792
Updated jenkins-remoting packages fix security vulnerability: Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution. SECURITY-247 ...
CVE-2016-0792
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando...