PT-2024-20292 · Unknown · Sourcecodester Daily Habit Tracker

Name of the Vulnerable Software and Affected Versions: Sourcecodester Daily Habit Tracker App version 1.0 Description: The issue allows SQL Injection via the parameter tracker. Recommendations: For Sourcecodester Daily Habit Tracker App version 1.0, avoid using the parameter tracker in the affect...

Sql injection

Blind SQL injection in apiid parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query...

Improper Privilege Management

microweber/microweber is vulnerable to Improper Privilege Management . The vulnerability exists due lack of authorization checks in the apiResource parameter of api.php which allows an attacker to provide malicious configuration-related API parameter...

CVE-2022-45608

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers CUSTOMERUSER to gain escalated privileges vertically and become an Administrator TENANTADMIN or SYSADMIN on the web application. It is important to note that in order to accomplish this, the attacker must know the...

Code injection

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers CUSTOMERUSER to gain escalated privileges vertically and become an Administrator TENANTADMIN or SYSADMIN on the web application. It is important to note that in order to accomplish this, the attacker must know the...

CVE-2022-45608

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers CUSTOMERUSER to gain escalated privileges vertically and become an Administrator TENANTADMIN or SYSADMIN on the web application. It is important to note that in order to accomplish this, the attacker must know the...

CVE-2022-45608

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers CUSTOMERUSER to gain escalated privileges vertically and become an Administrator TENANTADMIN or SYSADMIN on the web application. It is important to note that in order to accomplish this, the attacker must know the...

CVE-2022-39041

aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database...

CVE-2022-39041

aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database...

CVE-2022-39041 aEnrich a+HRD - SQL Injection

aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database...

PT-2023-13674 · Unknown · Aenrich A+Hrd

Name of the Vulnerable Software and Affected Versions: aEnrich a+HRD affected versions not specified Description: The issue is related to insufficient user input validation for a specific API parameter, allowing an unauthenticated remote attacker to inject arbitrary SQL commands. This can lead to...

CVE-2022-20926

A vulnerability in the web management interface of the Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient validation of user-supplied parameters for...

CVE-2022-23770 WISA Smart Wing CMS Remote Command Execution Vulnerability

This vulnerability could allow a remote attacker to execute remote commands with improper validation of parameters of certain API constructors. Remote attackers could use this vulnerability to execute malicious commands such as directory traversal...

CVE-2022-28811 Possible command injection in Car Park Server in Carlo Gavazzi UWP3.0

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands...

CVE-2022-0879

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

CVE-2022-0879

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

CVE-2021-37215

The employee management page of Flygo contains an Insecure Direct Object Reference IDOR vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter...

CVE-2021-37215

The CVE-2021-37215 entry describes an Insecure Direct Object Reference (IDOR) in Flygo’s employee management page. After authenticating as a general user, an attacker can manipulate and overwrite another employee’s data by supplying that employee’s ID in an API parameter. Documents confirm this v...

GHSA-G5J6-R3X9-GF2M Cross-site scripting in Contentful

Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py...

Cross-site scripting in Contentful

Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py...