Post Grid Combo – 36+ Gutenberg Blocks < 2.2.69 - Information Exposure via get_posts API Endpoint

Description The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft posts and password protected posts, as well...

CVE-2023-7072

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft...

Default credentials

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft...

CVE-2023-7072 Post Grid Combo – 36+ Gutenberg Blocks <= 2.2.68 - Information Exposure via get_posts API Endpoint

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft...

CVE-2023-7072

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft...

CVE-2023-7072

CVE-2023-7072 affects the Post Grid Combo – 36+ Gutenberg Blocks WordPress plugin. All versions up to 2.2.68 expose sensitive data via the get_posts REST API endpoint, allowing unauthenticated access to full draft posts, password-protected posts, and passwords. The issue is an Information Exposur...

CVE-2024-28198

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version...

Design/Logic Flaw

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version...

CVE-2024-28198 XML external entity (XXE) injection in OpenOLAT

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is fixed in version...

CVE-2024-28198

OpenOLAT contains an XXE/SSRF vulnerability in the draw.io integration that allows an attacker to read arbitrary files as the system user by manipulating HTTP requests. Affected versions are OpenOLAT prior to 18.1.6 and prior to 18.2.2. The issue is fixed in 18.1.6 and 18.2.2; users should upgrad...

PT-2024-22332 · Drawio +1 · Drawio +1

Name of the Vulnerable Software and Affected Versions: OpenOlat versions prior to 18.1.6 OpenOlat versions prior to 18.2.2 Description: OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using...

Simple Restrict < 1.2.7 - Missing Authorization to Sensitive Information Exposure

Description The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.6 via the REST API. This makes it possible for authenticated attackers to bypass the plugin's restrictions to extract post titles and content...

BIT-GITLAB-2020-26415

Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab =12.2 to =13.5 to =13.6 to 13.6.2...

BIT-GITLAB-2022-1783

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their...

BIT-GITLAB-2022-1999

An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description...

BIT-MEDIAWIKI-2021-44854

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis...

BIT-WORDPRESS-2023-5561 WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack...

BIT-WORDPRESS-MULTISITE-2023-5561 WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack...

BIT-MAGENTO-2020-24402 Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorizati...

BIT-MAGENTO-2020-24403 Incorrect permissions could lead to unauthorized modification of inventory source data via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...