CVE-2022-32268

CVE-2022-32268 affects StarWind SAN and NAS v0.2 build 1914. The REST API command to change the hostname does not validate the new hostname parameter and passes it to bash within a script, allowing an attacker with non-root access to inject data and achieve root-level code execution. No exploitat...

The Bug Report – May 2022 Edition

The Bug Report – May 2022 Edition By Trellix · June 1, 2022 This blog was written by Douglas McKee Your Cybersecurity Comic Relief Source: https://twitter.com/cyb3rops/status/1523579115152064513?s=20&t=jtGMOibQPsPviekQoWKIA Why Am I here? People often come together not only due to common interest...

The vulnerability of the REST API interface implementation of the software package for working with IoT devices, known as Open Automation Software, arises from the lack of authentication for a critical function. This allows a perpetrator to execute arbitrary code.

The vulnerability of the REST API interface implementation of the software package for working with IoT devices is related to the lack of authentication for critical functions. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending specially crafted HTTP...

CVE-2022-30585

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

Authorization

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

CVE-2022-30585

CVE-2022-30585 affects Archer Platform 6.x before 6.11 (6.11.0.0) where the REST API permits an Authorization Bypass. A remote authenticated malicious user could view sensitive information. Affected/fixed releases noted: 6.11.0.0 fixes the issue; older releases such as 6.10.0.3 and 6.9.3.4 are al...

CVE-2022-30585

The REST API in Archer Platform 6.x before 6.11 6.11.0.0 contains an Authorization Bypass Vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information. 6.10 P3 6.10.0.3 and 6.9 SP3 P4 6.9.3.4 are also fixed releases...

Open Automation Software OAS Platform Access Control Error Vulnerability (CNVD-2022-58679)

Open Automation Software OAS Platform is an industrial Internet of Things IoT suite from Open Automation Software, Inc. Open Automation Software OAS Platform V16.00.0121 is vulnerable to an access control error that could be exploited by an attacker to make unauthenticated use of the REST API wit...

CVE-2022-26833

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

Authentication flaw

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

CVE-2022-26833

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

CVE-2022-26833

The CVE-2022-26833 issue affects Open Automation Software OAS Platform V16.00.0121. A vulnerability in the REST API allows unauthenticated use via a crafted sequence of HTTP requests, stemming from improper authentication. Consequences cited in the sources include unauthenticated access to the RE...

Open Automation Software OAS Platform REST API unauthenticated vulnerability

Summary An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

Lack of type validation in agent related REST API in Jenkins

Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins 2.287, L...

Arbitrary file existence check in file fingerprints in Jenkins

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint...

mongo-rest-api (=0.1.0), pine-ql (>=0.1.0 <=0.5.4) potentially affected by CVE-2020-28272 via keyget (=1.0.1)

keyget NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on keyget and may be impacted: - mongo-rest-api =0.1.0 - pine-ql =0.1.0, =0.5.4 Source cves: CVE-2020-28272 Source advisory: OSV:GHSA-8MP8-28XH-R486...

Magento incorrect permissions vulnerability in the Integrations component

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorizati...

Magento incorrect user permissions vulnerability within the Inventory component

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...

Magento 2 Community Edition vulnerable to Improper Authorization

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...

GHSA-HVF5-4JR9-FGHH Magento incorrect permissions vulnerability in the Integrations component

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorizati...