CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

966 matches found

CVE•added 2021/01/15 8:10 p.m.•66 views

CVE-2021-21246

OneDev before 4.0.3 exposes an insecure REST endpoint: GET /users/{id} lacks authorization checks, enabling retrieval of arbitrary user details and Access Tokens. This permits potential impersonation and sensitive data exposure across projects accessible by the user. The issue is fixed in version...

8.6CVSS7.7AI score0.24883EPSS

Exploits0References2Affected Software1

CVE•added 2021/01/12 2:21 p.m.•46 views

CVE-2021-21471

CVE-2021-21471 affects CLA-Assistant; versions before 2.8.5 are vulnerable due to improper access control. An authenticated user could access API endpoints not intended for user access, risking integrity of the application. The vulnerability is documented across multiple sources (NVD, Red Hat, PR...

6.5CVSS6.3AI score0.00439EPSS

Exploits0References1Affected Software1

Hacker One•added 2021/01/04 1:48 p.m.•13 views

Rocket.Chat: Registration bypass with leaked Invite Token

The Rocket.Chat API route 'validateInviteToken' was vulnerable to a registration bypass attack. The route allowed unauthenticated users to guess valid invite tokens by sending a crafted JSON payload with a regular expression. Once a valid token was obtained, the user could access private channels...

7AI score

Exploits0

CVE•added 2020/12/30 6:24 p.m.•57 views

CVE-2020-27848

CVE-2020-27848 affects dotCMS versions before 20.10.1. The vulnerability is an SQL injection in the REST endpoint /api/v1/containers (orderby parameter) caused by unsanitized orderBy handling in the PaginatorOrdered classes. An authenticated manager is required to exploit. Public sources indicate...

8.8CVSS8.8AI score0.00443EPSS

Exploits1References2Affected Software1

Prion•added 2020/12/18 10:15 a.m.•9 views

Code injection

In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibit...

4CVSS4.7AI score0.00203EPSS

Exploits1References2Affected Software1

CVE•added 2020/12/18 9:26 a.m.•49 views

CVE-2020-26177

CVE-2020-26177 affects Tangro Business Workflow prior to 1.18.1. The issue is an access control flaw: certain profile items are rendered as greyed out on the client, but the server does not enforce this restriction—manipulating greyed‑out values in requests to /api/profile is not prohibited serve...

4.3CVSS4.6AI score0.00203EPSS

Exploits1References2Affected Software1

Github Security Blog•added 2020/11/13 5:18 p.m.•70 views

Authorization bypass in Spree

Impact The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree 3.7 are not affected. References Pull request with a fix and in-depth explanati...

7.7CVSS0.5AI score0.00267EPSS

Exploits1References7Affected Software1

Openbugbounty•added 2020/11/09 1:57 p.m.•8 views

api.bandgaze.com Cross Site Scripting vulnerability OBB-1496672

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

Exploits0

Akamai Blog•added 2020/11/06 3:15 p.m.•21 views

Corporate Office and Kitchen Table: Securing the Future of Work, Part 2

The workforce is remote, the data center is the cloud, the corporate network is the internet, and the security stack is at the edge. In Part 1, I focused on the future of work, the most obvious feature being that the workforce is even more distributed, even more remote. Employees expect to be abl...

1AI score

Exploits0

Openbugbounty•added 2020/11/06 9:59 a.m.•9 views

api.mera.macrocrm.ru Cross Site Scripting vulnerability OBB-1487875

Exploits0

Openbugbounty•added 2020/11/06 9:57 a.m.•8 views

api.kps.macrocrm.ru Cross Site Scripting vulnerability OBB-1487860

Exploits0

Openbugbounty•added 2020/11/03 9:32 a.m.•13 views

api.mera.macrocrm.ru Cross Site Scripting vulnerability OBB-1478887

Exploits0

Openbugbounty•added 2020/11/03 9:28 a.m.•22 views

api.kps.macrocrm.ru Cross Site Scripting vulnerability OBB-1478868

Exploits0

Openbugbounty•added 2020/10/30 5:45 p.m.•8 views

api.mera.macrocrm.ru Cross Site Scripting vulnerability OBB-1467370

6.2AI score

Exploits0

Openbugbounty•added 2020/10/30 4:44 p.m.•6 views

api.meradb.ru Cross Site Scripting vulnerability OBB-1467210

6.2AI score

Exploits0

Openbugbounty•added 2020/10/29 9:22 p.m.•6 views

api.xiaomingming.org Cross Site Scripting vulnerability OBB-1464139

6.2AI score

Exploits0

Hacker One•added 2020/10/29 2:20 p.m.•20 views

CS Money: Attacker can generate cancelled transctions in a user's transaction history using only Steam ID

Summary: The API endpoint /create-payment requires only the steam ID of the account to create the payment. When this endpoint is called using the cardpay flow, it returns a transaction ID on the Cardpay system. The attacker can access this transaction, and immediately cancel it or pay it ; , whic...

0.5AI score

Exploits0

Openbugbounty•added 2020/10/28 11:56 p.m.•6 views

api3dinspector.iris-group.it Cross Site Scripting vulnerability OBB-1460428

6.2AI score

Exploits0