PT-2025-32228 · Tigo Energy · Tigo Energy Cca

Name of the Vulnerable Software and Affected Versions: Tigo Energy CCA device affected versions not specified Description: The Tigo Energy CCA device is susceptible to insecure session ID generation within its remote API. Session IDs are created using a predictable method based on the current...

Crestron Automate VX 安全漏洞

Crestron Automate VX is an enterprise-grade intelligent space automation platform with integrated AV control, IoT device management, and data analytics from Crestron USA. A security vulnerability exists in Crestron Automate VX versions 5.6.8161.21536 through 6.4.0.49, which stems from a remote we...

The vulnerability of the GLPI system’s request, incident, and asset inventory management, related to improper access control, allows a intruder to gain unauthorized access to the account.

The vulnerability of the GLPI system for managing requests, incidents, and inventory of computer equipment is related to improper access control. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to the account through the API...

Century Systems FutureNet NXR 安全漏洞

Century Systems FutureNet NXR is a series of routers from Century Systems, Japan. A security vulnerability exists in Century Systems FutureNet NXR, which arises from an initial configuration where REST-APIs are accidentally enabled during device startup, which could allow an attacker to gain acce...

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts...

PT-2024-10394 · Cisco · Cisco Optical Site Manager +3

Name of the Vulnerable Software and Affected Versions: Cisco Crosswork Network Services Orchestrator NSO affected versions not specified Cisco ConfD affected versions not specified Cisco Optical Site Manager affected versions not specified Cisco RV340 Dual WAN Gigabit VPN Routers affected version...

SUSE CVE-2017-1000398

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/agent-name/api showed information about tasks typically builds currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read...

SUSE CVE-2021-27358

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/ID/api showed information about tasks in the queue typically builds waiting to start. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This h...

GHSA-WQV4-9GR3-3QGH Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/username/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/username/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote...

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/agent-name/api showed information about tasks typically builds currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read...

Denial of service in Grafana

The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware...

CentOS 8 : grafana (CESA-2021:4226)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:4226 advisory. - grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call CVE-2021-27358 - golang: crypto/elliptic:...

Moderate: grafana security, bug fix, and enhancement update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana 7.5.9. BZ1921191 Security Fixes: golang: crypto/elliptic: incorrect operations on the P-224 curve...

Security update for grafana (important)

openSUSE Security Update: Security update for grafana Announcement ID: openSUSE-SU-2021:2662-1 Rating: important References: 1183803 1183809 1183811 1183813 1184371 Cross-References: CVE-2021-27358 CVE-2021-27962 CVE-2021-28146 CVE-2021-28147 CVE-2021-28148 CVSS scores: CVE-2021-27358 NVD : 7.5...

GHSA-Q6PJ-JH94-5FPR OS Command Injection in docker-compose-remote-api

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js of the package, the function execserviceName, cmd, fnStdout, fnStderr, fnExit uses the variable serviceName which can be controlled by users without any sanitization...

OS Command Injection in docker-compose-remote-api

docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js of the package, the function execserviceName, cmd, fnStdout, fnStderr, fnExit uses the variable serviceName which can be controlled by users without any sanitization...

Jenkins Remote API Information Disclosure (CVE-2017-1000395)

An information disclosure vulnerability exists in Jenkins Remote API. Successful exploitation of this vulnerability could allow a remote attacker to gain information about Jenkins user accounts...

Denial Of Service (DoS)

github.com/grafana/grafana is vulnerable to denial of service. An unauthenticated attacker is able to crash the application via a remote API call to the snapshot feature...