BuddyPress < 7.2.1 - Read Private Messages

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint...

IBM Spectrum Scale Denial of Service Vulnerability (CNVD-2021-20199)

IBM Spectrum Scale is a scalable data and file management solution from IBM USA based on IBM GPFS, an enterprise file management system optimized for petabyte-scale storage management. The product supports helping clients reduce storage costs while improving security and management efficiency in...

BuddyPress < 7.2.1 - Invite Member to Join Group

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API...

CVE-2020-4890

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4891

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

Code injection

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

Code injection

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4891

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

CVE-2020-4890

IBM Spectrum Scale vulnerability CVE-2020-4890 affects versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2. A local user with a valid REST API role can cause a denial of service due to weak or absent rate limiting on REST API requests. The root cause is insufficient rate-limiting controls; impact is availab...

CVE-2020-4890

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4891

CVE-2020-4891 affects IBM Spectrum Scale: versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2 expose an improper account lockout setting that could let a local attacker brute‑force REST API credentials. Affected product: IBM Spectrum Scale (GPFS-based). Root cause: inadequate local account lockout configura...

Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI.

Summary Vulnerabilities exist in all levels of IBM Spectrum Scale GUI. A fix for this vulnerability is available. Vulnerability Details CVEID: CVE-2020-4890 DESCRIPTION: IBM Spectrum Scale could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absen...

F5 iControl REST Remote Command Execution Vulnerability

F5 BIG-IP is F5's application delivery platform that integrates network traffic scheduling, load balancing, intelligent DNS, remote access policy management, etc. F5 BIG-IQ Centralized Management is F5's management and scheduling platform that centrally manages and controls the F5 BIG-IP physical...

jenkins: Improper handling of REST API XML deserialization errors

A flaw was found in jenkins. An attacker with permission to create or configure various objects to inject crafted content into Old Data Monitor can cause the instantiation of potentially unsafe objects once discarded by an administrator. The highest threat from this vulnerability is to data...

Improper access control

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the target...

CVE-2021-22861

GitHub Enterprise Server vulnerability CVE-2021-22861: An improper access control issue allowed authenticated users to write to unauthorized repositories via crafted pull requests and REST API calls. Affected versions include ranges listed in PT-2021-15234: 2.4.21–2.20.23, 2.21.0–2.21.14, 2.22.0–...

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. PoC Usage: php poc.php auth...

CVE-2019-25020

CVE-2019-25020 affects Scytl sVote 2.1. The root cause is an unauthenticated sdm-ws-rest API that allows retrieving administrative configuration by sending a POST to /sdm-ws-rest/preconfiguration. The impact is exposure of admin configuration (confidentiality impact noted as HIGH in CVSS 3.1). Ex...

Oracle Linux 8 : container-tools:ol8 (ELSA-2021-0531)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-0531 advisory. buildah 1.16.7-4.0.1 - Handling redirect from the docker registry Orabug: 29874238 Nikita Gerasimov 1.16.7-4 - update to the latest content of...

WordPress: Privilege Escalation via REST API to Administrator leads to RCE

Kien Hoang reported a privilege escalation vulnerability in the BuddyPress REST-API. Through this issue, if registrations for new users is enabled, a non-admin user can gain administrator access on the site. The administrator access can then lead to remote code execution, as admins have the right...