1890 matches found
SQL injection in litellm
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...
CVE-2024-5225 SQL Injection in berriai/litellm
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...
The vulnerability of the caddy-security authentication plugin, related to the use of insufficiently random values, allows attackers to execute OAuth interception attacks and generate insecure, repeated authentication and API key checks in the database.
The vulnerability of the caddy-security authentication plugin is related to the use of insufficiently random values. Exploiting this vulnerability allows a remote attacker to execute an OAuth hijacking attack and generate insecure, repeated authentication and API key checks in the database...
CVE-2024-3277
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
CVE-2024-3277
CVE-2024-3277 affects the WordPress plugin “Yumpu ePaper publishing” (versions
CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
PT-2024-24841 · WordPress · Yumpu Epaper Publishing Plugin
Name of the Vulnerable Software and Affected Versions: Yumpu ePaper publishing plugin for WordPress version 2.0.24 and earlier Description: The issue allows authenticated attackers with subscriber-level access and above to upload PDF files, publish them, and modify the API key due to a missing...
WordPress Yumpu ePaper publishing plugin <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability
Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability discovered by Lucio Sá in WordPress Plugin Yumpu ePaper publishing versions = 2.0.24...
DRUPAL-CONTRIB-2024-022
Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider...
Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
Description The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level...
CVE-2024-4858 Testimonial Carousel For Elementor <= 10.2.0 - Missing Authorization to Limited Setting Update
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savetestimonialsoptioncallback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to updat...
CVE-2024-4858
CVE-2024-4858 affects the WordPress plugin Testimonial Carousel for Elementor (WordPress plugin). The vulnerability is due to a missing capability check in the function save_testimonials_option_callback, present in versions up to and including 10.2.0, enabling unauthenticated attackers to modify ...
PT-2024-33154 · Openai · Openai Api
Name of the Vulnerable Software and Affected Versions: The Testimonial Carousel For Elementor plugin for WordPress versions up to, and including, 10.2.0 Description: The issue is related to a missing capability check on the save testimonials option callback function, allowing unauthorized...
VulnCheck KEV: CVE-2021-45467
In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/accountnewcreate&acc=guadaapi URI. Any number of...
GHSA-JV32-5578-PXJC Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
BIT-ELASTICSEARCH-2024-23451 Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...
PT-2024-26239 · Nedis · Nedis Smartlife Android App
Name of the Vulnerable Software and Affected Versions: Nedis SmartLife android app version 1.4.0 Description: The issue concerns an API key disclosure. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited...
CVE-2024-3185
A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high privileges. This wa...
CVE-2024-3185
CVE-2024-3185 (Rapid7 Insight Agent/Rapid7 Platform) involves a misconfigured key in logging.json that, by default, does not adhere to the least-privilege principle and is exposed to local users. An attacker with local access could use this key to authenticate to the platform with elevated privil...