WordPress acf-to-rest-api Information Disclosure Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in WordPress acf-to-rest-api, which can be exploited by an...

ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure

The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. List all active plugins of the blo...

CVE-2020-13700

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

CVE-2020-10274

The access tokens for the REST API are directly derived sha256 and base64 encoding from the publicly available default credentials from the Control Dashboard refer to CVE-2020-10270 for related flaws. This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks...

CVE-2020-10274

The access tokens for the REST API are directly derived sha256 and base64 encoding from the publicly available default credentials from the Control Dashboard refer to CVE-2020-10270 for related flaws. This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks...

CVE-2020-10275

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64USERNAME:sha256PASSWORD. An unauthorized attacker inside the network can use the defaul...

Default credentials

The access tokens for the REST API are directly derived sha256 and base64 encoding from the publicly available default credentials from the Control Dashboard refer to CVE-2020-10270 for related flaws. This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks...

Default credentials

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64USERNAME:sha256PASSWORD. An unauthorized attacker inside the network can use the defaul...

CVE-2020-10275 RVD#2565: Weak token generation for the REST API.

The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a USERNAME and a PASSWORD, the token string is generated directly with base64USERNAME:sha256PASSWORD. An unauthorized attacker inside the network can use the defaul...

CVE-2020-10275

CVE-2020-10275 describes a weakness in REST API token generation where tokens are directly derived from publicly available default credentials for the web interface. With a given USERNAME and PASSWORD, the token is computed as base64(USERNAME:sha256(PASSWORD)). An attacker inside the network who ...

CVE-2020-10274 RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps)

The access tokens for the REST API are directly derived sha256 and base64 encoding from the publicly available default credentials from the Control Dashboard refer to CVE-2020-10270 for related flaws. This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks...

CVE-2020-10274

MiR robots are affected by CVE-2020-10274 in combination with CVE-2020-10273. Affected products include MiR100, MiR200, MiR250, MiR500, MiR1000 and MiR Fleet, with MiR Robot Software versions prior to 2.10.2.1 (per ICS advisory) and older firmware versions (MiR controllers prior to 2.8.1.1) per N...

Information Exposure

An issue was discovered in the acf-to-rest-api plugin for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and password values...

PT-2020-13654 · WordPress · Acf-To-Rest-Api

Name of the Vulnerable Software and Affected Versions: acf-to-rest-api plugin through 3.1.0 for WordPress Description: The issue allows an insecure direct object reference via permalinks manipulation. This can be demonstrated by a "wp-json/acf/v3/options/" request that reads sensitive information...

CVE-2017-18895

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information user statuses via a REST API version 4 endpoint...

CVE-2017-18896

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint...

CVE-2017-18896

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint...

CVE-2017-18889

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API...

CVE-2017-18889

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API...

Design/Logic Flaw

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information user statuses via a REST API version 4 endpoint...