Lucene search
K

1890 matches found

Github Security Blog
Github Security Blog
added 2024/06/06 9:30 p.m.35 views

SQL injection in litellm

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...

7.2CVSS6.7AI score0.00429EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2024/06/06 6:19 p.m.34 views

CVE-2024-5225 SQL Injection in berriai/litellm

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...

6.4CVSS0.00429EPSS
Exploits1References1
BDU FSTEC
BDU FSTEC
added 2024/06/03 12:0 a.m.5 views

The vulnerability of the caddy-security authentication plugin, related to the use of insufficiently random values, allows attackers to execute OAuth interception attacks and generate insecure, repeated authentication and API key checks in the database.

The vulnerability of the caddy-security authentication plugin is related to the use of insufficiently random values. Exploiting this vulnerability allows a remote attacker to execute an OAuth hijacking attack and generate insecure, repeated authentication and API key checks in the database...

6.5CVSS7.1AI score0.0068EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2024/05/30 5:15 a.m.15 views

CVE-2024-3277

The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...

5CVSS5.3AI score0.00316EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/05/30 4:31 a.m.13 views

CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification

The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...

5CVSS6.5AI score0.00316EPSS
Exploits0References2
CVE
CVE
added 2024/05/30 4:31 a.m.85 views

CVE-2024-3277

CVE-2024-3277 affects the WordPress plugin “Yumpu ePaper publishing” (versions

5CVSS5.2AI score0.00316EPSS
Exploits0References3
Cvelist
Cvelist
added 2024/05/30 4:31 a.m.24 views

CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification

The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...

5CVSS5.2AI score0.00316EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/05/30 12:0 a.m.13 views

PT-2024-24841 · WordPress · Yumpu Epaper Publishing Plugin

Name of the Vulnerable Software and Affected Versions: Yumpu ePaper publishing plugin for WordPress version 2.0.24 and earlier Description: The issue allows authenticated attackers with subscriber-level access and above to upload PDF files, publish them, and modify the API key due to a missing...

5CVSS6.7AI score0.00316EPSS
Exploits0References5
Patchstack
Patchstack
added 2024/05/29 11:56 p.m.6 views

WordPress Yumpu ePaper publishing plugin <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability

Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability discovered by Lucio Sá in WordPress Plugin Yumpu ePaper publishing versions = 2.0.24...

5CVSS7AI score0.00316EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2024/05/29 4:44 p.m.5 views

DRUPAL-CONTRIB-2024-022

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider...

9.8CVSS6.9AI score0.00618EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/29 12:0 a.m.18 views

Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification

Description The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level...

5CVSS4.9AI score0.00316EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/05/25 2:50 a.m.19 views

CVE-2024-4858 Testimonial Carousel For Elementor <= 10.2.0 - Missing Authorization to Limited Setting Update

The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savetestimonialsoptioncallback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to updat...

5.3CVSS6.7AI score0.00402EPSS
Exploits0References3
CVE
CVE
added 2024/05/25 2:50 a.m.91 views

CVE-2024-4858

CVE-2024-4858 affects the WordPress plugin Testimonial Carousel for Elementor (WordPress plugin). The vulnerability is due to a missing capability check in the function save_testimonials_option_callback, present in versions up to and including 10.2.0, enabling unauthenticated attackers to modify ...

5.3CVSS5.5AI score0.00402EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2024/05/25 12:0 a.m.5 views

PT-2024-33154 · Openai · Openai Api

Name of the Vulnerable Software and Affected Versions: The Testimonial Carousel For Elementor plugin for WordPress versions up to, and including, 10.2.0 Description: The issue is related to a missing capability check on the save testimonials option callback function, allowing unauthorized...

5.3CVSS6.3AI score0.00402EPSS
Exploits0References8
VulnCheck KEV
VulnCheck KEV
added 2024/05/15 12:0 a.m.2 views

VulnCheck KEV: CVE-2021-45467

In CWP aka Control Web Panel or CentOS Web Panel before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/accountnewcreate&acc=guadaapi URI. Any number of...

9.8CVSS5.9AI score0.70947EPSS
Exploits1References1
OSV
OSV
added 2024/05/14 10:25 p.m.44 views

GHSA-JV32-5578-PXJC Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...

6.9CVSS7.6AI score0.00964EPSS
Exploits0References6
OSV
OSV
added 2024/05/14 7:16 a.m.26 views

BIT-ELASTICSEARCH-2024-23451 Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to...

6.5CVSS5.6AI score0.00435EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/05/08 12:0 a.m.7 views

PT-2024-26239 · Nedis · Nedis Smartlife Android App

Name of the Vulnerable Software and Affected Versions: Nedis SmartLife android app version 1.4.0 Description: The issue concerns an API key disclosure. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited...

7.5CVSS7AI score0.00354EPSS
Exploits0References5
NVD
NVD
added 2024/04/23 9:15 a.m.14 views

CVE-2024-3185

A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high privileges. This wa...

6.8CVSS6.5AI score0.00172EPSS
Exploits0References1
CVE
CVE
added 2024/04/23 8:39 a.m.91 views

CVE-2024-3185

CVE-2024-3185 (Rapid7 Insight Agent/Rapid7 Platform) involves a misconfigured key in logging.json that, by default, does not adhere to the least-privilege principle and is exposed to local users. An attacker with local access could use this key to authenticate to the platform with elevated privil...

6.8CVSS6.6AI score0.00172EPSS
Exploits0References1
Rows per page
Query Builder