CVE-2019-4603

IBM Quality Manager RQM 6.02, 6.06, and 6.0.6.1 could allow an authenticated user to create keywords through the REST API and have them appear as if they were created by another user. IBM X-Force ID: 168295...

CVE-2019-4603

IBM Quality Manager (RQM) versions 6.02, 6.06 and 6.0.6.1 are affected: an authenticated user can create keywords via the REST API and have them appear as if created by another user. This CVE affects RQM’s REST API keyword handling and may enable impersonation of keyword creation. Remediation pro...

Code injection

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint...

Open redirect

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs that redirect to an external web site via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the...

CVE-2020-11515

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs that redirect to an external web site via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the...

CVE-2020-11514

The CVE-2020-11514 issue affects the Rank Math SEO WordPress plugin (versions up to 1.0.40.2). The vulnerability allows unauthenticated remote attackers to update arbitrary WordPress metadata via the unsecured rankmath/v1/updateMeta REST API endpoint, enabling privilege escalation to administrato...

Fedora: Security Advisory for coturn (FEDORA-2020-f3fcb1608a)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2020-4325

The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can't recover the...

Design/Logic Flaw

The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can't recover the...

CVE-2020-4325

The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can't recover the...

CVE-2020-4325

CVE-2020-4325 affects IBM Process Federation Server and IBM Automation Workstream Services in Cloud Pak for Automation. The root cause is improper shutdown of thread pools used to retrieve Global Teams information, causing JVM memory to be unrecoverable and leading to OutOfMemory errors when the ...

Critical WordPress Plugin Bug Can Lock Admins Out of Websites

A pair of security vulnerabilities in the WordPress search engine optimization SEO plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It’s a WordPress plugin with more than 200,000...

[SECURITY] Fedora 32 Update: coturn-4.5.1.1-3.fc32

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gat eway. It can be used as a general-purpose network traffic TURN server/gateway, to o. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relayin...

Security Bulletin: IBM Process Federation Server REST API is subject to DoS attacks

Summary IBM Process Federation Server Global Teams REST API does not properly shut down the thread pools that it creates, leading to OutOfMemory exceptions, and could be targeted by DoS attacks. Vulnerability Details CVEID: CVE-2020-4325 DESCRIPTION: The IBM Process Federation Server Global Teams...

WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...

WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint

The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...

WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint

The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...

WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...

IBM Cognos TM1 / IBM Planning Analytics Server Configuration Overwrite / Code Execution Exploit

IBM Cognos TM1 Server / Planning Analytics Server TM1 suffers from a configuration overwrite vulnerability that can be leveraged to achieve code execution as SYSTEM via TM1 scripting. Extensive research is included in this advisory as well as the Metasploit module. IBM PA / TM1, dating back to...

kafka: Connect REST API exposes plaintext secrets in tasks endpoint

When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value,...