GHSA-HWW5-6X85-MC24 Typo3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfigincludes is vulnerable to directory traversal leading to same scenarios as...

Typo3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfigincludes is vulnerable to directory traversal leading to same scenarios as...

GHSA-X428-565F-8XJ2 TYPO3 Arbitrary Code Execution and Cross-Site Scripting in Backend API

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfigincludes is vulnerable to directory traversal leading to same scenarios as...

CVE-2023-6483

The vulnerability exists in ADiTaaS Allied Digital Integrated Tool-as-a-Service version 5.1 due to an improper authentication vulnerability in the ADiTaaS backend API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable...

Denial Of Service (DoS)

@cubejs-backend/api-gateway is vulnerable to Denial Of Service DoS. The vulnerability exists in gateway.ts allowing an attacker to cause an application crash by submitting a crafted query...

MAL-2022-72 Malicious code in @amcdc/backend-api-swagger (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fdf152986975b3c807745701930b9dbe420c924c2f23afd1271d21dc73bd6c63 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-QMMW-CH2Q-J6XX Typo3 Backend API XSS Vulnerability

Cross-site scripting XSS vulnerability in the tree render API TCA-Tree in the Backend API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...

Design/Logic Flaw

VeryFitPro com.veryfit2hr.second 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's...

CVE-2021-36460

VeryFitPro com.veryfit2hr.second 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's...

Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments

The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This...

GHSA-R6CM-WG48-RH2R Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments

The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This...

CVE-2021-32612

The VeryFitPro com.veryfit2hr.second application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing...

Default credentials

The VeryFitPro com.veryfit2hr.second application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing...

Path traversal

Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...

Default Express middleware security check is ignored in production

Default Express middleware security check is ignored in production Impact All Cube.js deployments that use affected versions of @cubejs-backend/api-gateway with default express authentication middleware in production environment are affected. Patches @cubejs-backend/[email protected] Workaround...

CVE-2019-13025

Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST HTTP request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable mod...

CVE-2019-13025

Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST HTTP request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable mod...

Arbitrary Code Execution and Cross-Site Scripting in Backend API

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-019...

Arbitrary Code Execution and Cross-Site Scripting in Backend API

More info at https://typo3.org/security/advisory/typo3-core-sa-2019-019...

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...