GHSA-J63J-7R7R-5V4J WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...

CVE-2024-7096 Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: SOAP admin services are accessible to the attacker. The...

GHSA-XMVG-335G-X44Q The OpenSearch reporting plugin improperly controls tenancy access to reporting resources

Summary An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. Impact The lack of...

Authorization Bypass

silverstripe/reports is vulnerable to Authorization Bypass. The vulnerability is due to a flaw in the implementation of access control mechanisms within the ReportAdmin.php. It allows direct URL access to reports by any user who has access to the reports admin section, irrespective of whether the...

CVE-2023-49112 Insecure Direct Object Reference in Kiuwan SAST

Kiuwan provides an API endpoint /saas/rest/v1/info/application to get information about any application, providing only its name via the "application" parameter. This endpoint lacks proper access control mechanisms, allowing other authenticated users to read information about applications, even...

CVE-2024-4520

An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requiring any form of interaction between the users. Exploitation ...

Improper Access Control

nautobot is vulnerable to Improper Access Control. The vulnerability is due to inadequate access control mechanisms where several Nautobot URL endpoints will not disclose any Nautobot data unless the configuration variable EXEMPTVIEWPERMISSIONS is modified from its default value, allowing...

Secrets, Secrets Are No Fun. Secrets, Secrets (Stored in Plain Text Files) Hurt Someone

Secrets are meant to be hidden or, at the very least, only known to a specific and limited set of individuals or systems. Otherwise, they aren't really secrets. In personal life, a secret revealed can damage relationships, lead to social stigma, or, at the very least, be embarrassing. In a...

CVE-2022-48289

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

Design/Logic Flaw

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

Design/Logic Flaw

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

CVE-2022-48288

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

CVE-2022-48288

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

CVE-2022-48288

CVE-2022-48288 relates to Huawei HarmonyOS, where the bundle management module exposes APIs without authentication/adequate access control. This vulnerability can lead to data confidentiality impacts if an attacker can access or manipulate bundle-related APIs. The available documents do not speci...

CVE-2022-48289

The bundle management module lacks authentication and control mechanisms in some APIs. Successful exploitation of this vulnerability may affect data confidentiality...

CVE-2022-48289

CVE-2022-48289 affects Huawei HarmonyOS (package management module). Multiple sources describe that the package management module lacks authentication and access control in some APIs, enabling a potential influence on data confidentiality. The NVD record notes a Network attack vector with High se...

CVE-2020-26139

Frames used for authentication and key management between the AP and connected clients. Some clients may take these redirected frames masquerading as control mechanisms from the AP. Mitigation Mitigation for this issue is either not available or the currently available options does not meet the R...

CVE-2018-0332

A vulnerability in the Session Initiation Protocol SIP ingress packet processing of Cisco Unified IP Phone software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. The vulnerability is due to a lack of flow-control mechanisms in the software. An attacke...

CVE-2016-9111

Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue, stating "the...

HTTP2. 0 Protocol is aeration 4 high-risk vulnerabilities can cause server to crash-bug warning-the black bar safety net

! If you think that HTTP2. 0 Protocol than the standard HTTP Hypertext Transfer Protocol more secure, then you're wrong. Researchers spent 4 months in HTTP2. 0 Protocol found 4 vulnerabilities that! Last 2 month, Google put their SPDY project bundled into HTTP2. 0, intended to strengthen the page...