CVE-2022-24847 Improper Input Validation in GeoServer

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can...

admin-tool-button (>=1.0.1a0 <=1.0.5a0), aimmo (>=2.0.0 <=2.0.1) +71 more potentially affected by CVE-2022-28347 via django (>=3.2.0 <=3.2.12)

django PYPI version =3.2.0, =1.0.1a0, =2.0.0, =0.2.0, =22.0.0.dev21, =22.0.0.dev13, =22.0.0.dev29, =6.0.0, =6.0.0, =6.4.1 - coldfront =1.1.0 - common-framework =2021.4.1 - directory-validators =9.0.0 and more Source cves: CVE-2022-28347 Source advisory: OSV:GHSA-W24H-V9QH-8GXJ...

WordPress Easily Generate Rest API Url plugin <= 1.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by websafe2021 in WordPress Easily Generate Rest API Url plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of 29 March 2022 and is not available for download. This closure is temporary, pending a full...

Easily Generate Rest API Url <= 1.0.0 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the "Post Per Page" or "Enter Search Text": settings of the plugin: "autofocu...

PT-2022-19401

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Access Manager Plus versions prior to 4302 Zoho ManageEngine Password Manager Pro versions prior to 12007 ManageEngine Privileged Access Manager 360 PAM360 versions prior to 5401 Description The software solutions Zoho...

Easily Generate Rest API Url <= 1.0.0 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Post Per Page" or "Enter Search Text": settings of the plugin: "autofocus...

The vulnerability of the Kubeclient::Config implementation in the REST API client for Kubernetes allows a attacker to perform a “man-in-the-middle” attack.

The vulnerability of the Kubeclient::Config implementation for the REST API client of Kubernetes allows for certificate validation process errors. Exploiting this vulnerability could enable a malicious actor to carry out a “man-in-the-middle” attack...

Design/Logic Flaw

In RSA Archer 6.x through 6.9 SP3 6.9.3.0, an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference IDOR issue and retrieve sensitive data...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

UBUNTU-CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

CVE-2022-0549

CVE-2022-0549 affects GitLab CE/EE; versions before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2 are vulnerable. Under certain conditions, the REST API could allow unprivileged users to add other users to groups, contrary to Web UI constraints. Root cause: access control issue. Impact: unau...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

CVE-2022-0549

Removed by vendor...

CVE-2022-0549

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not...

Information Disclosure

statamic/cms is vulnerable to information disclosure. The vulnerability exists because it allows to filer a user by password hash which allows an attacker to gain access to sensitive information using a specially crafted regular expression filter in the users endpoint of REST API...

PT-2022-13253 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions prior to 14.3.6 GitLab CE/EE versions 14.4.0 through 14.4.3 GitLab CE/EE versions 14.5.0 through 14.5.1 Description: An issue has been discovered in GitLab CE/EE that allows unprivileged users to add other users to group...

GHSA-69P3-XP37-F692 Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...

Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...

CVE-2022-24784

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire...