GHSA-C9P4-XWR9-RFHX Zot IdP group membership revocation ignored

Summary The group data stored for users in the boltdb database meta.db is an append-list so group revocations/removals are ignored in the API. Details SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the grou...

PT-2025-3104 · Unknown · Vaultwarden

Name of the Vulnerable Software and Affected Versions: Vaultwarden version 1.32.5 Description: The issue is related to an authenticated reflected Cross-Site Scripting XSS vulnerability. This vulnerability is present in the /api/core/mod.rs component. Recommendations: For Vaultwarden version 1.32....

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2024-12108

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API...

CVE-2024-12108 WhatsUp Gold - Public API signing key rotation issue

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API...

CVE-2024-56799 Simofa Allows Unauthenticated Access to API Routes

Simofa is a tool to help automate static website building and deployment. Prior to version 0.2.7, due to a design mistake in the RouteLoader class, some API routes may be publicly accessible when they should require authentication. This vulnerability has been patched in v0.2.7...

CVE-2024-12371

A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and...

CVE-2024-12371

CVE-2024-12371 affects Rockwell Automation Power Monitor 1000. Vulnerability: API allows unauthenticated creation of a Policyholder user with high privileges (edit operations, admin creation, factory reset). Reported impact includes device takeover and potential for remote code execution/DoS via ...

PT-2024-28642 · Threatquotient · Threatq

Name of the Vulnerable Software and Affected Versions: ThreatQuotient ThreatQ versions prior to 5.29.3 Description: The issue allows authenticated users to execute arbitrary commands by sending a crafted request to an API endpoint. Recommendations: For versions prior to 5.29.3, update to version...

CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

CVE-2024-5333

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

PT-2024-35723

Name of the Vulnerable Software and Affected Versions The Events Calendar WordPress plugin versions prior to 6.8.2.1 Description The issue is related to missing access checks in the REST API, allowing unauthenticated users to access information about password-protected events. Recommendations For...

PT-2024-36214 · Hurrakify · Hurrakify

Name of the Vulnerable Software and Affected Versions: Hurrakify versions n/a through 2.4 Description: A Server-Side Request Forgery SSRF vulnerability is present in Hurrakify, enabling Server Side Request Forgery. This issue allows for the reading of application data. Recommendations: For versio...

CVE-2024-47760

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760

GLPI (Asset & IT Management) affected in CVE-2024-47760: prior to 10.0.17, a technician with API access can elevate privileges and take control of a higher-privileged account. A patch is available in version 10.0.17. Connected sources corroborate version ranges around 9.1.0–10.0.17/10.0.18 and in...

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

CVE-2024-47758

CVE-2024-47758 affects GLPI: authenticated users can via the API take control of another user with equal or lower privileges in versions 9.3.0 up to, but not including, 10.0.17. A patch is available in 10.0.17. Connected documents corroborate GLPI context and indicate multiple vendor advisories f...

What is Nudge Security and How Does it Work?

Regain control of SaaS sprawl with Day One discovery of all SaaS and GenAI accounts along with workflows to help you mitigate security risks, curb rogue app usage, and manage SaaS spend. In today's highly distributed workplace, every employee has the ability to act as their own CIO, adopting new...

CVE-2024-8256

In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 excluding and TSWOS devices running on versions 1.0 to 1.3 excluding, due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access critical device resources v...