CVE-2024-5488 SEOPress < 7.9 - Unauthenticated Object Injection

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...

CVE-2024-5488 SEOPress < 7.9 - Unauthenticated Object Injection

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present...

CVE-2024-5488

The CVE-2024-5488 entry concerns the SEOPress WordPress plugin (versions before 7.9). Affected component: REST API routes; root cause involves insufficient protection that, when combined with an Object Injection vulnerability, lets unauthenticated attackers unserialize malicious gadget chains. Pr...

WordPress plugin SEOPress security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

GHSA-J59V-VGCR-HXVF GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer's Server Status page and REST API at /geoserver/rest/about/status lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as...

GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer's Server Status page and REST API at /geoserver/rest/about/status lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as...

CVE-2024-34696

GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...

CVE-2024-34696 GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...

CVE-2024-34696 GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative...

CVE-2024-34696

Geoserver CVE-2024-34696 describes exposure of environment variables and Java system properties via the Server Status page and REST API, accessible to administrators. The issue affects GeoServer 2.10.0 up to versions before 2.24.4 and 2.25.1, where environment data (e.g., database passwords, API ...

Security Bulletin: IBM MQ is affected by a password disclosure vulnerability (CVE-2024-35156)

Summary IBM MQ has addressed a password disclosure vulnerability in the IBM MQ REST API. Vulnerability Details CVEID:CVE-2024-35156 DESCRIPTION: IBM MQ could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This informatio...

Malicious code in azure-rest-api-specs-tests (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-1799 Malicious code in azure-rest-api-specs-tests (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in azure-rest-api-specs-eng-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 34ba9e800ce9823b7e1b4b90d47a87eafdfb783d616caa8a69bf93f55ee0a9b5 The OpenSSF Package Analysis project identified 'azure-rest-api-specs-eng-tools' @ 1.0.1 npm as malicious. It is considered malicious because: -...

MAL-2024-1798 Malicious code in azure-rest-api-specs-eng-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 34ba9e800ce9823b7e1b4b90d47a87eafdfb783d616caa8a69bf93f55ee0a9b5 The OpenSSF Package Analysis project identified 'azure-rest-api-specs-eng-tools' @ 1.0.1 npm as malicious. It is considered malicious because: -...

CVE-2024-5639

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2024-3605

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'roomtype' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

CVE-2024-3605 WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'roomtype' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

SUSE CVE-2024-36543

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector bypassing Kafka ACL if it exists, and potentially stea...

STRIMZI incorrect access control

Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector bypassing Kafka ACL if it exists, and potentially stea...