CVE-2023-2907

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Marksoft allows SQL Injection.This issue affects Marksoft: through Mobile:v.7.1.7 ; Login:1.4 ; API:20230605...

SRS 命令注入漏洞

SRS is a simple, efficient, real-time video server from SRS open source. SRS has a command injection vulnerability , the vulnerability stems from the api-server server has a command injection vulnerability...

WordPress Plugin WooCommerce Multivendor Marketplace – REST API 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

WordPress Plugin MStore API 访问控制错误漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

Broken Access Control in Alert manager: Viewer can send test alerts

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access t...

Shop Beat Media Player 访问控制错误漏洞

Shop Beat is a media player from Shop Beat, Inc. A security vulnerability exists in Shop Beat Media Player versions 2.5.95 through 3.2.57, which originates from a login that can bypass secondary authentication by accessing the API directly with a bearer token or jsession ID...

CVE-2023-31227

The hwPartsDFR module has a vulnerability in API calling verification. Successful exploitation of this vulnerability may affect device confidentiality...

CVE-2023-31227

The hwPartsDFR module has a vulnerability in API calling verification. Successful exploitation of this vulnerability may affect device confidentiality...

CVE-2023-2886

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7...

PT-2023-24494 · Netbox · Netbox

Name of the Vulnerable Software and Affected Versions: Netbox version 3.5.1 Description: A stored cross-site scripting XSS issue exists in the Create Provider Accounts function, specifically at the /circuits/provider-accounts/ API endpoint, allowing attackers to execute arbitrary web scripts or...

PT-2023-18901 · Ciq Api · Ciq Api

Name of the Vulnerable Software and Affected Versions: CIQ API versions 2.2.0 through 4.1.7 Description: The Toybox.Ant.BurstPayload.add API method suffers from a type confusion issue, which can result in an out-of-bounds write operation. A malicious application could create a specially crafted...

Connect IQ 安全漏洞

Connect IQ CIQ is a technology platform and ecosystem from Garmin Switzerland designed to extend and customize the functionality of its smartwatches and health trackers. Connect IQ suffers from a security vulnerability that stems from an unvalidated API function parameter that results in a buffer...

Cisco DNA Center 安全漏洞

Cisco DNA Center is a network management and command center service from Cisco USA. Cisco DNA Center is vulnerable to an authorization issue. The vulnerability stems from improper authorization of API requests and can be exploited by an authenticated, remote attacker to read information from a...

bumsys 安全漏洞

bumsys is an open source project called Business Management System by unilogies individual developers. A security vulnerability exists in versions of bumsys prior to 2.1.1, which stems from an api processing endpoint that is allowed to contain local files that can be used to cause remote code...

Lenovo XClarity Controller 安全漏洞

Lenovo XClarity Controller XCC is a server-embedded management engine from Lenovo China that is used to standardize and automate basic server management tasks. A security vulnerability exists in Lenovo XClarity Controller that stems from the possibility that a valid, authenticated user with...

CVE-2022-31647

Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659...

PYSEC-2023-22

An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attacke...

Mozilla: Memory Corruption in Safe Browsing Code

The Mozilla Foundation Security Advisory describes this flaw as: Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash...

Mozilla: Memory Corruption in Safe Browsing Code

The Mozilla Foundation Security Advisory describes this flaw as: Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash...

LIVEBOX Collaboration vDesk 安全漏洞

LIVEBOX Collaboration vDesk is an application from LIVEBOX, Inc. A security vulnerability exists in LIVEBOX Collaboration vDesk version v018 and prior versions, which stems from a broken access control under /api/v1/vdeskintegration/saml/user/createorupdate, /settings/guest-settings,...