Malicious code in @thrift-api/request (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc7c546cee9e2a91fe9d45f7f261892c3bfb7d979a727786c4f77d1ac0be7e16 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-640 Malicious code in @thrift-api/request (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc7c546cee9e2a91fe9d45f7f261892c3bfb7d979a727786c4f77d1ac0be7e16 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-8RP6-X3R7-5QW3 SaltStack Salt is vulnerable to shell injection via ProxyCommand argument

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

SaltStack Salt is vulnerable to shell injection via ProxyCommand argument

An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via sshoptions provided in an API request...

CVE-2022-22434

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

Cross site request forgery (csrf)

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

CVE-2022-22434

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434)

Summary IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects Vulnerability Details CVEID: CVE-2022-22434 DESCRIPTION: IBM Robotic Process Automation could allow a user with physical access to create an API request...

CVE-2021-3523

3scale APICast (Red Hat 3scale) is affected in versions prior to 2.11.0. The root cause is incorrect reuse of connections, enabling an attacker to bypass API security restrictions when hosting multiple APIs on the same IP. CVSS v3.1 base score is 7.5 (HIGH); exploitation details are not provided....

CVE-2021-41594

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieve...

Cross site request forgery (csrf)

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieve...

Path Traversal

github.com/argoproj/argo-cd is vulnerable to path traversal. A remote attacker is able to craft an API request to the /api/v1/repositories/repourl/appdetails endpoint to leak the contents from the out-of-bounds files in the repo-server...

Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server

Impact All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user who has been...

Improper Access Control

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only repository acces...

Mobile device monitoring services do not authenticate API requests

Overview The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability. These services and their associated apps can be used to perform non-consensual,...

CVE-2021-34774

The CVE-2021-34774 entry concerns Cisco Common Services Platform Collector (CSPC) Web Management interface. Affected: CSPC Web UI. Vulnerable component: API response handling that fails to sufficiently protect sensitive data. Root cause: information disclosure when responding to a crafted HTTP re...

Improper access control

A vulnerability in the API endpoints for Cisco DNA Center could allow an authenticated, remote attacker to gain access to sensitive information that should be restricted. The attacker must have valid device credentials. This vulnerability is due to improper access controls on API endpoints. An...

The vulnerability of the password change interface of the Cisco Connected Mobile Experiences (CMX) software allows a hacker to bypass security mechanisms.

The vulnerability of the Cisco Connected Mobile Experiences CMX password change interface is related to deficiencies in the management of registration data. Exploiting this vulnerability could allow a malicious actor to bypass security measures through a specially created API request...

CVE-2021-39169

Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting XSS. XSS could compromise the API request token. This issue has been fixed in version...

CVE-2021-39169

Misskey is a decentralized microblogging platform. In versions of Misskey prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting XSS. XSS could compromise the API request token. This issue has been fixed in version...