Design/Logic Flaw

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint...

Sql injection

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API...

CVE-2017-18895

Mattermost Server is affected prior to versions 4.2.0, 4.1.1, and 4.0.5. A REST API version 4 endpoint can expose sensitive user status information to attackers, enabling information disclosure. The issue is documented across multiple sources (including SUSE, Red Hat, CNVD, GHSA, and OSV) with th...

CVE-2017-18895

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information user statuses via a REST API version 4 endpoint...

CVE-2017-18896

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint...

CVE-2017-18889

Summary: CVE-2017-18889 affects Mattermost Server prior to 4.3.0, 4.2.1, and 4.1.2. An attacker can abuse the v3/v4 REST API via webhooks or slash commands to create fictive system-message posts. What’s affected: Mattermost Server (versions before 4.3.0, 4.2.1, and 4.1.2). The vulnerability is ex...

CVE-2020-3242

A vulnerability in the REST API of Cisco UCS Director could allow an authenticated, remote attacker with administrative privileges to obtain confidential information from an affected device. The vulnerability exists because confidential information is returned as part of an API response. An...

Authentication flaw

A vulnerability in the REST API of Cisco UCS Director could allow an authenticated, remote attacker with administrative privileges to obtain confidential information from an affected device. The vulnerability exists because confidential information is returned as part of an API response. An...

CVE-2020-3242

CVE-2020-3242 – Cisco UCS Director Information Disclosure : A vulnerability in the REST API could allow an authenticated, remote attacker with administrative privileges to obtain confidential information from an affected device. The issue arises because confidential information is returned as par...

CVE-2020-3242 Cisco UCS Director Information Disclosure Vulnerability

A vulnerability in the REST API of Cisco UCS Director could allow an authenticated, remote attacker with administrative privileges to obtain confidential information from an affected device. The vulnerability exists because confidential information is returned as part of an API response. An...

h1-ctf: [H1-2006 2020] Exploiting multiple vulnerabilities to get hacker's payment ensured

Last week, Hackerone’s CEO Marten lost his credentials for BountyPay. A tweet from hackerone’s official twitter account asked for help from ethical hackers and bounty hunters to help the CEO recover his credentials and insure May’s payments. As an active bug hunter on Hackerone, I decided to take...

REST API - Deactivate the REST API

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is active by default and there is no way to deactivate. It should have a similar option like the Enabling the Remote...

REST API - Deactivate the REST API

h4. Suggestion Description Confluence Server REST API|https://developer.atlassian.com/confdev/confluence-server-rest-api is active by default and there is no way to deactivate. It should have a similar option like the Enabling the Remote...

CVE-2020-9042

In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request...

Cross site request forgery (csrf)

In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request...

CVE-2020-9042

In Couchbase Server 6.0, credentials cached by a browser can be used to perform a CSRF attack if an administrator has used their browser to check the results of a REST API request...

CVE-2020-9042

The provided sources describe a CSRF vulnerability in Couchbase Server 6.0 where credentials cached in a browser can be abused to perform a CSRF attack if an administrator has used the browser to view REST API results. Concrete exploit/impact details beyond this (specific vectors, affected versio...

Cisco UCS Director Cloupia Script Remote Code Execution Exploit

This Metasploit module exploits an authentication bypass and directory traversals in Cisco UCS Director versions prior to 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to...

Cisco UCS Director Cloupia Script - Remote Code Execution

This Metasploit module exploits an authentication bypass and directory traversals in Cisco UCS Director This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco UCS Director Cloupia Script RCE',...

Cisco UCS Director Cloupia Script Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Cisco UCS Director Cloupia Script RCE', 'Description' = %q This module exploits an authentication bypass and directory traversals in Cisco UCS...