1080 matches found
CVE-2024-36467
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
PT-2024-8876
Name of the Vulnerable Software and Affected Versions: Zabbix versions 6.0.0 through 6.0.31 Zabbix versions 6.4.0 through 6.4.16 Zabbix version 7.0.0 Description: A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access, can exploit...
zabbix -- SQL injection in user.get API
[email protected] reports: A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.g...
Akuvox Smart Intercom/Doorphone ServicesHTTPAPI Improper Access Control
Summary Vandal-resistant Door Phone for High-end Buildings. Offering top-of-the-line features, Akuvox X912 is targeted at high-end residential and commercial projects. With a compact size, it is perfect for buildings with limited installation space. Description The Akuvox Smart Intercom/Doorphone...
The vulnerability of the GLPI system’s request, incident, and asset inventory management, related to improper access control, allows a intruder to gain unauthorized access to the account.
The vulnerability of the GLPI system for managing requests, incidents, and inventory of computer equipment is related to improper access control. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to the account through the API...
BIT-GITLAB-2024-7404 Improper Restriction of Rendered UI Layers or Frames in GitLab
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow...
UBUNTU-CVE-2024-38370
GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16...
CVE-2024-49754
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...
CVE-2024-49754 LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...
CVE-2024-49754
LibreNMS (PHP/MySQL/SNMP-based network monitoring) has a Stored XSS vulnerability in the API-Access page. The issue, triggered by the token parameter when creating a new API token, allows an authenticated user to inject JavaScript that runs in other users’ sessions. Impact includes potential acco...
CVE-2024-49754 LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...
LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php
Summary A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result in the execution of malicious code in the context of other users'...
GHSA-GFWR-XQMJ-J27V LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php
Summary A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result in the execution of malicious code in the context of other users'...
PT-2024-33665 · Librenms · Librenms
Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0 Description: A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the token parameter when creating a new API token. This c...
GitLab 17.2 < 17.3.7 / 17.4 < 17.4.4 / 17.5 < 17.5.2 (CVE-2024-7404)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed a...
Moodle Access Control Error Vulnerability
Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from an Access Control Error vulnerability that stems from insufficient access control over the inclusion of an...
CVE-2024-7404
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow...
CVE-2024-7404 Improper Restriction of Rendered UI Layers or Frames in GitLab
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow...
CVE-2024-7404
GitLab CVE-2024-7404 affects GitLab CE/EE versions: 17.2–17.3.6, 17.4–17.4.3, and 17.5–17.5.1, where a flaw in the Device OAuth flow could allow an attacker with full API access as the victim. The vulnerability enables unauthorized API access via the victim’s session, with high confidentiality im...
CVE-2024-7404
Removed by vendor...