CVE-2025-3135

A vulnerability classified as critical was found in fcbazzm ics-park Smart Park Management System 2.1. This vulnerability affects unknown code of the file /api/system/dept/update. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

UBUNTU-CVE-2024-36465

A low privilege regular Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter...

raven 输入验证错误漏洞

raven is a simple, open source team messaging platform from Commit Open Source. An input validation error vulnerability exists in versions of Raven prior to 2.1.10 that stems from allowing any logged in user to execute code via an API endpoint...

Tuleap 安全漏洞

Tuleap is an open source suite from Enalean Open Source designed to improve the management of software development and collaboration. A security vulnerability exists in Tuleap Community Edition prior to 16.5.99.1742392651 and Tuleap Enterprise Edition prior to 16.5-5, and prior to 16.4-8, which...

SUSE CVE-2025-25068

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

Unitree Go 1 安全漏洞

Unitree Go 1 is a robotic dog from the Chinese company Unitree. Unitree Go 1 suffers from a security vulnerability that stems from an undocumented backdoor that could lead to full remote control of the device by the manufacturer or a person in possession of an API key...

WordPress Better WishList API plugin <= 1.1.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Better WishList API versions = 1.1.4...

Improper Privilege Management

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Privilege Management through the API endpoint http://0.0.0.0:8080/api/v1/users/uuidadministrator. An attacker, acting as an admin, can delete other administrators. This action is restricted by the us...

Composio 安全漏洞

Composio is a production-ready toolset for AI agents open-sourced by Composio. A security vulnerability exists in Composio version 0.5.10 that stems from the API not validating the value of the x-api-key header, which could lead to unauthorized access...

LogicalDOC 安全漏洞

LogicalDOC is a document management system developed using Java technology by LogicalDOC, Inc. in the United States. The system has features such as Lucene full-text search indexing and automatic import. LogicalDOC has a security vulnerability that stems from an API endpoint flaw that could allow...

WordPress Resido theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update vulnerability

Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update vulnerability discovered by Lucio Sá in WordPress Plugin Resido versions = 3.6...

GitLab Enterprise Edition 安全漏洞

GitLab Enterprise Edition EE is a content management system from the American company GitLab. A security vulnerability exists in GitLab Enterprise Edition versions 12.3 through prior to 17.7.7, 17.8 through prior to 17.8.5, and 17.9 through prior to 17.9.2, which stems from a vulnerability in...

Rising Technosoft CAP back office application 授权问题漏洞

Rising Technosoft CAP back office application is a back office application from Rising Technosoft India. The Rising Technosoft CAP back office application suffers from an authorization issue vulnerability that stems from a weak password reset mechanism implemented in the API endpoint that allows ...

CVE-2023-40723

An exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.4 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 and 6.3.0 through 6.3.3 and 6.2.0 through 6.2.1 and 6.1.0 through 6.1.2 and 5.4.0 and 5.3.0 through 5.3.3 and 5.2...

U.S. Dept Of Defense: Information Disclosure in API Endpoint /users

An endpoint /users was exposing sensitive user information, including id, first name, last name, email, role, and authdata, to unauthenticated users. This allowed anyone to retrieve private user details without authentication...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through the rex-api-result parameter. An attacker can execute arbitrary scripts in the context of the user's browser session by crafting a malicious URL that injects JavaScript into the web page. Details...

How to Create a Scan for Local File Inclusion

This whitepaper covers how to create a scan in Perl to identify different types of local file inclusion in web applications. Depending on the context of the environment and architecture, the content of the paper can be applied to APIs in addition to presenting how to correct or avoid local file...

WordPress RateMyAgent Official plugin <= 1.4.0 - Cross-Site Request Forgery to API Key Update vulnerability

Cross-Site Request Forgery to API Key Update vulnerability discovered by Dhabaleshwar Das in WordPress Plugin RateMyAgent Official versions = 1.4.0...

Incorrect Authorization

Overview org.wso2.is:identity-server-parent is an open source Identity and Access Management solution federating and managing identities across both enterprise and cloud service environments. Affected versions of this package are vulnerable to Incorrect Authorization that allows an attacker in...

CVE-2024-50689

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references IDOR via the orgService API model...