Lucene search
K

2010 matches found

Veracode
Veracode
added 2024/02/09 5:22 a.m.20 views

Cross Site Scripting (XSS)

github.com/rancher/norman is vulnerable to Cross Site Scripting XSS . The vulnerability is due to a lack of URL validation within the ParseRequestURL method. An attacker can execute arbitrary JavaScript by sending a crafted payload to a public API endpoint, resulting in XSS...

8.3CVSS6.1AI score0.00428EPSS
Exploits0
OSV
OSV
added 2024/02/07 2:51 p.m.16 views

CVE-2024-24771 Open Forms potential multi-factor authentication bypass

Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials username + password compromised could potentially have the second-factor authentication...

7.7CVSS6AI score0.00599EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2024/02/07 12:0 a.m.4 views

PT-2024-20239 · Unknown · Novel-Plus

Name of the Vulnerable Software and Affected Versions: Novel-Plus versions 4.3.0-RC1 and prior Description: A SQL injection issue exists, allowing an attacker to pass specially crafted offset, limit, and sort parameters to perform SQL injection via the "/novel/userFeedback/list" API endpoint...

9.8CVSS9.6AI score0.00622EPSS
Exploits0References7
OSV
OSV
added 2024/02/05 10:16 p.m.3 views

CVE-2024-0869

The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license...

6.5CVSS5.9AI score0.00791EPSS
Exploits0References4
OSV
OSV
added 2024/02/01 8:51 p.m.35 views

GHSA-XW73-RW38-6VJC Classic builder cache poisoning

The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache...

6.9CVSS7.4AI score0.00258EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2024/02/01 12:0 a.m.4 views

PT-2024-4534 · Unknown · Zenml Server

Name of the Vulnerable Software and Affected Versions: ZenML Server versions prior to 0.46.7 ZenML Server versions 0.44.4, 0.43.1, and 0.42.2 are patched and not vulnerable, so the actual vulnerable range is any version before 0.46.7, excluding the mentioned patched versions. However, since 0.44....

8.8CVSS8.7AI score0.70581EPSS
Exploits1References18
Github Security Blog
Github Security Blog
added 2024/01/24 2:21 p.m.30 views

Cross-site Scripting Vulnerability on Data Import

Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.10.1 and was tested on version 1.9.2.post0. Overview Label Studio had a remote import feature allowed users to...

6.1CVSS7.1AI score0.00592EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2024/01/19 8:15 p.m.28 views

PYSEC-2024-15

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

3.7CVSS4.2AI score0.00587EPSS
Exploits1References2
Cvelist
Cvelist
added 2024/01/19 7:49 p.m.30 views

CVE-2024-23329 changedetection.io API endpoint is not secured with API token

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

3.7CVSS4.3AI score0.00587EPSS
Exploits1References2
OSV
OSV
added 2024/01/19 7:49 p.m.19 views

CVE-2024-23329 changedetection.io API endpoint is not secured with API token

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

3.7CVSS4.6AI score0.00587EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2024/01/18 12:0 a.m.3 views

PT-2024-19496 · Flycms · Flycms

Name of the Vulnerable Software and Affected Versions: FlyCms version 1.0 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. It can be exploited via the /system/user/group save API endpoint. Recommendations: For FlyCms version 1.0, as a temporary workaround, consider...

8.8CVSS8.7AI score0.00317EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2024/01/18 12:0 a.m.3 views

PT-2024-19575 · Flycms · Flycms

Name of the Vulnerable Software and Affected Versions: FlyCms version 1.0 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. It can be exploited via the "/system/email/email conf updagte" API endpoint. This vulnerability allows an attacker to perform unauthorized actions o...

8.8CVSS8.6AI score0.00321EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2024/01/18 12:0 a.m.4 views

PT-2024-19576 · Flycms · Flycms

Name of the Vulnerable Software and Affected Versions: FlyCms version 1.0 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. It occurs via the "/system/site/filterKeyword save" API endpoint. This allows for potential unauthorized actions on the system. Recommendations: For...

8.8CVSS8.5AI score0.00321EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2024/01/18 12:0 a.m.3 views

PT-2024-19531 · Flycms · Flycms

Name of the Vulnerable Software and Affected Versions: FlyCms version 1.0 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. It can be exploited via the "/system/admin/update group save" API endpoint. Recommendations: For FlyCms version 1.0, as a temporary workaround,...

8.8CVSS8.6AI score0.00352EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2024/01/03 12:0 a.m.20 views

GitLab 13.10 < 14.1.7 / 14.2 < 14.2.5 / 14.3 < 14.3.1 (CVE-2021-39888)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - In all versions of GitLab EE starting from 13.10 before 14.1.7, all versions starting from 14.2 before 14.2.5, and all versions starting from 14.3 before 14.3.1 a specific API endpoint may reveal...

4.3CVSS5.3AI score0.01007EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2023/12/27 12:0 a.m.7 views

PT-2023-32884 · Weiye Jing · Datax-Web

Name of the Vulnerable Software and Affected Versions: WeiYe-Jing datax-web version 2.1.2 Description: A critical issue has been found in the HTTP POST Request Handler component, specifically affecting some unknown functionality of the file /api/log/killJob. The manipulation of the processId...

9.8CVSS7AI score0.09901EPSS
Exploits1References10
NVD
NVD
added 2023/12/25 8:15 a.m.28 views

CVE-2022-34267

An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...

9.8CVSS0.42162EPSS
Exploits1References2
Prion
Prion
added 2023/12/25 8:15 a.m.21 views

Authentication flaw

An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...

7.5CVSS7.5AI score0.42162EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2023/12/25 12:0 a.m.4 views

PT-2023-30873 · Unknown · Concrete Cms

Name of the Vulnerable Software and Affected Versions: Concrete CMS versions 9.0.0 through 9.2.2 Description: The issue allows an attacker to force an admin user to delete server report logs on a web application to which they are currently authenticated via the API endpoint...

4.3CVSS4.5AI score0.00227EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2023/12/21 8:45 p.m.13 views

CVE-2023-46646

Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHu...

5.3CVSS6.9AI score0.0054EPSS
Exploits0References4
Rows per page
Query Builder