CVE-2023-36388

CVE-2023-36388 concerns Apache Superset. The issue is an improper REST API permission configuration that allows an authenticated, low-privilege user to initiate network connections, enabling possible SSRF. The vulnerability affects Superset up to version 2.1.0 (and older per disclosures), with th...

CVE-2023-36387

CVE-2023-36387 affects Apache Superset up to version 2.1.0. The issue is an improper default REST API permission that allows an authenticated Gamma user to test a database connection. The available connected documents corroborate this risk across multiple sources (e.g., Red Hat, OSV, CNVD-like re...

CVE-2023-36387 Apache Superset: Improper API permission for low privilege users

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections...

PT-2023-25567 · Apache · Apache Superset

Name of the Vulnerable Software and Affected Versions: Apache Superset versions up to and including 2.1.0 Description: The issue is related to improper REST API permission in Apache Superset, allowing authenticated Gamma users to test network connections, which may lead to a possible Server-Side...

PT-2023-6899 · Apache · Apache Superset

Name of the Vulnerable Software and Affected Versions: Apache Superset versions up to and including 2.1.0 Description: The issue is related to an improper default REST API permission for Gamma users in Apache Superset, which is connected to shortcomings in the authorization mechanism. This allows...

Malicious code in your-dpd-rest-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 57f29438d66f642d44c66209d9219a5bce9c31f2cdb3437e711193f13af28113 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-7941 Malicious code in your-dpd-rest-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 57f29438d66f642d44c66209d9219a5bce9c31f2cdb3437e711193f13af28113 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Elasticsearch Enumeration Utility

This module enumerates Elasticsearch instances. It uses the REST API in order to gather information about the server, the cluster, nodes, in the cluster, indices, and pull data from those indices. Module Options msf use auxiliary/gather/elasticsearchenum msf auxiliaryelasticsearchenum show action...

Malicious code in @dpdgroupuk/your-dpd-rest-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4dc0b6ed54c73bb7b7cfbb33bfedad652cee9252913fd10dcc726d67cdea39f8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SugarCRM 12.2.0 Bean Manipulation Vulnerability

------------------------------------------------------------------------ SugarCRM = 12.2.0 updateGeocodeStatus Bean Manipulation Vulnerability ------------------------------------------------------------------------ - Software Link: https://www.sugarcrm.com - Affected Versions: Version 12.2.0 and...

SugarCRM 12.2.0 PHP Object Injection Vulnerability

------------------------------------------------------------------------------- SugarCRM = 12.2.0 DocusignGlobalSettings PHP Object Injection Vulnerability ------------------------------------------------------------------------------- - Software Link: https://www.sugarcrm.com - Affected Versions...

Evil QR - Proof-of-concept To Demonstrate Dynamic QR Swap Phishing Attacks In Practice

Toolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing. It consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to...

SugarCRM 12.2.0 SQL Injection

---------------------------------------------------- SugarCRM = 12.2.0 Two SQL Injection Vulnerabilities ---------------------------------------------------- - Software Link: https://www.sugarcrm.com - Affected Versions: Version 12.2.0 and prior versions. Version 12.0.2 and prior versions. Versio...

SugarCRM 12.2.0 PHP Object Injection

------------------------------------------------------------------------------- SugarCRM = 12.2.0 DocusignGlobalSettings PHP Object Injection Vulnerability ------------------------------------------------------------------------------- - Software Link: https://www.sugarcrm.com - Affected Versions...

SugarCRM 12.2.0 Bean Manipulation

------------------------------------------------------------------------ SugarCRM = 12.2.0 updateGeocodeStatus Bean Manipulation Vulnerability ------------------------------------------------------------------------ - Software Link: https://www.sugarcrm.com - Affected Versions: Version 12.2.0 and...

CVE-2023-0551

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

Cross site request forgery (csrf)

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

CVE-2023-0551

The CVE CVE-2023-0551 affects the WordPress plugin REST API TO MiniProgram (through 4.6.1). The vulnerability is due to missing authorization checks and CSRF protection in an AJAX action, allowing any authenticated user (e.g., subscriber) to call and delete arbitrary attachments. Connected source...

CVE-2023-0551 REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...

CVE-2023-0551 REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments...