CVE-2023-3416

The CVE-2023-3416 issue affects the tagDiv Opt-In Builder WordPress plugin. According to the connected documents, the vulnerability is a Blind SQL Injection in the subscriptionCouponId parameter of the create_stripe_subscription REST API endpoint, exploitable by an authenticated administrator. Th...

CVE-2023-3419

CVE-2023-3419 concerns tagDiv Opt-In Builder (WordPress plugin) with a Blind SQL Injection in the couponId parameter of the recreate_stripe_subscription REST endpoint. Affected versions up to and including 1.4.4 allow an authenticated administrator to append SQL statements to existing queries, en...

CVE-2024-30170

PrivX before 34.0 allows data exfiltration and denial of service via the REST API. This is fixed in minor versions 33.1, 32.3, 31.3, and later, and in major version 34.0 and later,...

CVE-2024-30170

PrivX before 34.0 allows data exfiltration and denial of service via the REST API. This is fixed in minor versions 33.1, 32.3, 31.3, and later, and in major version 34.0 and later,...

CVE-2024-30170

PrivX (SSH) vulnerable to REST API abuse prior to v34.0. The issue enables data exfiltration and denial of service via the REST API. Affected versions include minor releases 33.1, 32.3, and 31.3, with a fix implemented in major release 34.0 and later. The connected sources confirm the vulnerabili...

CVE-2024-30170

PrivX before 34.0 allows data exfiltration and denial of service via the REST API. This is fixed in minor versions 33.1, 32.3, 31.3, and later, and in major version 34.0 and later,...

The vulnerability in the GLPI system’s handling of requests and incidents, related to improper neutralization of special elements used in SQL commands, allows an attacker to carry out an attack based on time, using SQL injections in the REST API user_token.

The vulnerability of the GLPI system for handling requests and incidents is related to the improper neutralization of certain special elements. Exploiting this vulnerability allows a malicious actor to scan server ports or services, and to carry out attacks based on timing, using SQL injections i...

Bitbucket Datacenter REST API allows non-admin users to query all groups and members of the group

h3. Issue Summary Non-admin users any licensed user can query all the groups and members of the groups using the below API Groups API|https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-permission-management/api-api-latest-admin-groups-get Group memberships...

CVE-2024-39902

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox "Apply same permissions to all sub-items of this folder" in the document manager permissio...

CVE-2024-39902 Tuleap's recursive permissions to document manager folder are not properly applied

Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox "Apply same permissions to all sub-items of this folder" in the document manager permissio...

GO-2024-2981 SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend

SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend...

CVE-2024-39909 SQL Injection in the KubeClarity REST API

KubeClarity is a tool for detection and management of Software Bill Of Materials SBOM and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID. As it can be seen in...

CVE-2024-39909 SQL Injection in the KubeClarity REST API

KubeClarity is a tool for detection and management of Software Bill Of Materials SBOM and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID. As it can be seen in...

GHSA-5248-H45P-9PGW SQL Injection in the KubeClarity REST API

Summary A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID Details As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been...

SQL Injection in the KubeClarity REST API

Summary A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID Details As it can be seen here, while building the SQL Query the fmt.Sprintf function is used to build the query string without the input having first been...

CVE-2024-21832

A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body...

CVE-2024-21832

CVE-2024-21832 concerns PingFederate with a potential JSON injection vector in REST API data stores via POST requests carrying a JSON body. Metrics indicate low base score (3.5), network access, high attack complexity, and scope changes with partial integrity impact. No explicit remediation or ex...

CVE-2024-21832 PingFederate REST API Data Store Injection

A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body...

CVE-2024-5488

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...

CVE-2024-5488

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...