Headline Analyzer < 1.3.4 - Cross-Site Request Forgery

Description The Headline Analyzer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on several REST API endpoints. This makes it possible for unauthenticated attackers to perform sever...

Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

Description The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page...

Security Bulletin: IBM MQ is vulnerable to an issue in follow-redirects due to open redirect (CVE-2023-26159)

Summary IBM MQ has addressed an issue in follow-redirects. Follow-redirects is used by IBM MQ as part of the MQ Console. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An...

Exploit for Path Traversal in Jetbrains Teamcity

RCity - CVE-2024-27198 RCE & Admin Account Creation & CVE-20...

Wallarm’s Open Source API Firewall debuts at Blackhat Asia 2024 – Introduces Key New Features & Functionalities

Wallarm introduced its ongoing Open Source API Firewall project to the world at the recently concluded Blackhat Asia 2024 conference in Singapore. The open-source API Firewall by Wallarm is a free, lightweight API Firewall designed to protect REST and GraphQL API endpoints across cloud-native...

Google cAdvisor REST API Improper Access Control Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Google cAdvisor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the REST API endpoint, which listens on TCP port 8080 by default. The issue...

REST API pagination (eg, /rest/api/space) returns more data than available

h3. Issue Summary This issue relates to general paginated results. Requesting data from an endpoint such as /rest/api/space or rest/api/content causes Confluence to return more data than available. This is reproducible on Data Center: yes h3. Steps to Reproduce Request /rest/api/space to collect...

PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization

Description The PostX – Gutenberg Blocks for Post Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with author-level access an...

WordPress Geo Controller < 8.6.5 - PHP Object Injection

Description The plugin unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. PoC...

ADOKit - Azure DevOps Services Attack Toolkit

Azure DevOps Services Attack Toolkit - ADOKit is a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with specifying valid credentials API key or stolen authentication cookie for the...

Visual Planning REST API 2.0 Authentication Bypass

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Title ===== SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API Status ====== PUBLISHED Version ======= 1.0 CVE reference ============= CVE-2023-49231 Link ==== https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/...

CVE-2024-1418

The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST API even when maintenance mode is enabled...

CVE-2024-1418

CVE-2024-1418 affects the CGC Maintenance Mode plugin for WordPress. According to connected sources, versions up to and including 1.2 are vulnerable to sensitive information exposure via the REST API, allowing unauthenticated attackers to view protected posts while maintenance mode is enabled. Th...

CVE-2024-1418

The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST API even when maintenance mode is enabled...

CVE-2024-1418 CGC Maintenance Mode <= 1.2 - Sensitive Information Exposure

The CGC Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2 via the REST API. This makes it possible for unauthenticated attackers to view protected posts via REST API even when maintenance mode is enabled...

PT-2024-18028 · WordPress · Cgc Maintenance Mode

Name of the Vulnerable Software and Affected Versions: CGC Maintenance Mode plugin for WordPress versions up to, and including, 1.2 Description: The issue allows unauthenticated attackers to view protected posts via the REST API, even when maintenance mode is enabled. This is possible due to...

SUSE CVE-2024-23449

An uncaught exception in Elasticsearch = 8.4.0 and 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypte...

Elasticsearch 8.4.0 < 8.11.1 DoS (ESA-2024-05)

The version of Elasticsearch installed on the remote host is between 8.4.0 and prior to 8.11.1. It is, therefore, affected by a denial of service DoS vulnerability, due to an uncaught exception that occurs when an encrypted PDF is passed to an attachment processor through the REST API. The...

Tainacan < 0.20.8 - Missing Authorization

Description The Tainacan plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 0.20.7. This makes it possible for unauthenticated attackers to perform unauthorized actions...

WP Hotel Booking < 2.0.9.3 - Improper Authorization on Multiple REST API Routes

Description The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to an improper capability check on the 'pricingplans', 'blockdate', 'managerbookings', and 'updatefieldroom' functions for the 'pricing-plans', 'block-date',...