CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

Design/Logic Flaw

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this...

CVE-2019-20043

CVE-2019-20043 affects WordPress core (wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php) in versions 3.7–5.3.0, where authenticated users without publish rights can mark posts as sticky via the REST API, bypassing contributor-like restrictions. The impact is that unauthorized use...

FreeBSD : wordpress -- multiple issues (7b97b32e-27c4-11ea-9673-4c72b94353b5)

wordpress developers reports : Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for...

Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes

The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them. Affected endpoints: - wp-json/featured-image-from-url/v2/enablefakeapi - wp-json/featured-image-from-url/v2/disablefakeapi - wp-json/featured-image-from-url/v2/nonefakeapi -...

OpenMRS - Java Deserialization RCE (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenMRS Java Deserialization RCE', 'Description' = %q OpenMRS is an open-source platform that supplies users with a customizable medical record...

WordPress < 5.3.1

WordPress versions 5.3.0 and earlier are affected by the following vulnerabilities: - Two cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing a user to click a specially crafted URL,...

OpenMRS - Java Deserialization Remote Code Execution Exploit

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenMRS Java Deserialization RCE', 'Description' = %q OpenMRS is an open-source platform that supplies users with a customizable medical record...

WordPress Multiple Vulnerabilities (Dec 2019) - Windows

WordPress is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress"; ifdescripti...

WordPress <= 5.3 - Authenticated Improper Access Controls in REST API

Description An unprivileged user could make a post sticky via the REST API. Authenticated users who do not have the rights to publish a post were able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass...

wordpress -- multiple issues

wordpress developers reports: Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so youll want to upgrade. If you havent yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues. -Props to Daniel Bachhuber for findi...

CVE-2014-0026

katello-headpin is vulnerable to CSRF in REST API...

Cross site request forgery (csrf)

katello-headpin is vulnerable to CSRF in REST API...

CVE-2014-0026

CVE-2014-0026 applies to katello-headpin and is due to a CSRF vulnerability in the REST API. The issue is listed with CVSS vectors (2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N; 3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) indicating network access, no confidentiality impact, partial integrity impact, a...

CVE-2014-0026

katello-headpin is vulnerable to CSRF in REST API...

Cisco IOS XE Software REST API Authorization Bypass (cisco-sa-20180328-rest)

According to its self-reported version, Cisco IOS XE Software is affected by an authorization bypass vulnerability in the REST API due to insufficient authorization checks for requests that are sent to the REST API of the affected software. An authenticated, remote attacker can exploit this, by...

CVE-2013-4410

ReviewBoard: has an access-control problem in REST API...