4960 matches found
CVE-2023-36649
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...
CVE-2023-36652
A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter...
CVE-2023-36647
A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens...
CVE-2023-36651
Hidden and hard-coded credentials in ProLion CryptoSpike 3.0.15P2 allow remote attackers to login to web management as super-admin and consume the most privileged REST API endpoints via these credentials...
CVE-2023-36654
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys associated with a Linux root user by injecting paths inside REST API endpoint parameters...
Hardcoded credentials
Hidden and hard-coded credentials in ProLion CryptoSpike 3.0.15P2 allow remote attackers to login to web management as super-admin and consume the most privileged REST API endpoints via these credentials...
Directory traversal
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys associated with a Linux root user by injecting paths inside REST API endpoint parameters...
Authentication flaw
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...
Privilege escalation
Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation...
WP Go Maps < 9.0.28 - Unauthenticated Stored XSS
Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. PoC Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu=editid=1. Alternatively,...
CVE-2023-36649
Insertion of sensitive information in the centralized Grafana logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs as a Granafa authenticated user or from the Loki REST API without...
CVE-2023-36654
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys associated with a Linux root user by injecting paths inside REST API endpoint parameters...
CVE-2023-36647
Summary: CVE-2023-36647 affects ProLion CryptoSpike 3.0.15P2, where a hard-coded cryptographic private key is used to sign JWTs, enabling remote impersonation of users/roles in web management and REST API endpoints. The vulnerability arises from the use of a private key embedded in the product, e...
CVE-2023-36651
Summary: CVE-2023-36651 affects ProLion CryptoSpike 3.0.15P2. The issue arises from hidden and hard-coded credentials that let remote attackers log in to web management as super-admin and access the most privileged REST API endpoints. The available sources consistently describe the vulnerability ...
CVE-2023-36647
A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens...
CVE-2023-36647
A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens...
CVE-2023-36652
A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter...
CVE-2023-36652
CVE-2023-36652 describes a SQL injection in ProLion CryptoSpike 3.0.15P2's users searching REST API endpoint. The underlying issue is unsafely constructed SQL in the search parameter, allowing remote authenticated attackers to read database data. Affected product: ProLion CryptoSpike (version 3.0...
CVE-2023-36649
ProLion CryptoSpike 3.0.15P2 is affected by an authentication/authorization issue arising from insertion of sensitive information into the centralized Grafana logging system, enabling remote attackers to impersonate other users in web management and REST API by reading JWT tokens from logs or the...
CVE-2023-36646
Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation...