Design/Logic Flaw

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...

Spoofing

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...

CVE-2020-24404 Incorrect permissions in Integrations component could lead to unauthorized deletion of cmsPages via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization...

CVE-2020-24404

Summary (CVE-2020-24404): Magento Open Source platforms 2.4.0 and 2.3.5p1 (and earlier) have an incorrect permissions vulnerability in the Integrations component. It can be exploited by users who have Pages resource permissions to delete CMS pages via the REST API without authorization, exposing ...

CVE-2020-24403 Incorrect permissions could lead to unauthorized modification of inventory source data via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the...

CVE-2020-24402

Magento 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. The issue allows authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization. This is rooted in impro...

CVE-2020-24402 Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API

Magento version 2.4.0 and 2.3.5p1 and earlier are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorizati...

Authorization

A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this...

CVE-2020-26084 Cisco Edge Fog Fabric Resource Exposure Vulnerability

A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this...

CVE-2020-26084

CVE-2020-26084 : A vulnerability in the REST API of Cisco Edge Fog Fabric allows an authenticated, remote attacker to access and potentially overwrite arbitrary files due to incorrect authorization enforcement. Exploitation requires sending a crafted API request. The issue is documented across mu...

CVE-2020-26084 Cisco Edge Fog Fabric Resource Exposure Vulnerability

A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this...

CVE-2020-27589

Synopsys hub-rest-api-python aka blackduck on PyPI version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases...

CVE-2020-27589

Synopsys hub-rest-api-python aka blackduck on PyPI version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases...

PYSEC-2020-26

Synopsys hub-rest-api-python aka blackduck on PyPI version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases...

CVE-2020-27589

Synopsys hub-rest-api-python aka blackduck on PyPI version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases...

CVE-2020-27589

CVE-2020-27589 affects Synopsys hub-rest-api-python (blackduck on PyPI) in versions 0.0.25–0.0.52, which do not validate SSL certificates in certain cases. According to the CVE entry, this yields a high-severity impact (CVSSv3.1: 7.5) with potential integrity impact and network exposure. No explo...

CVE-2020-12145

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted ...

CVE-2020-12146

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API...

Code injection

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can make unauthorized MySQL queries against the Orchestrator database using the /sqlExecution REST API, which had been used for internal testing...

Design/Logic Flaw

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API...