4945 matches found
XenMobile Rest API
XenMobile provides an extensive REST API that can be leveraged to extract data and provide it for business needs. This feature provides customers with the facility of calling XenMobile services using REST API. Instead of using XenMobile console, customers can call exposed services by using any RE...
Rocket.Chat: XSS via /api/v1/chat.postMessage
The victim could craft a custom message using the REST API that, once seen by the observer, executed arbitrary code in the context of the client user. The vulnerability was present in the attachment fields, where the first field's value could be used to inject HTML tags...
Making Splunk searches using REST API
When you have already learned how to make search requests in Splunk GUI, it may be nice to figure out how do the same from your own scripts using the Splunk REST API. It's really easy! Ok, we have a Splunk SIEM account: user="user" pass="Password123" And we want to execute this search request:...
CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
Integer overflow
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
DEBIAN-CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
CVE-2017-1001000
The registerroutes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a...
CVE-2017-1001000
WordPress CVE-2017-1001000 affects WordPress 4.7.x before 4.7.2 in the REST API: REST endpoints wp-json/wp/v2/posts can be accessed with an integer segment followed by a non‑numeric value, enabling remote modification of arbitrary pages. Root cause: lack of validation for an integer identifier in...
CVE-2016-7542
A read-only administrator on Fortinet devices with FortiOS 5.2.x before 5.2.10 GA and 5.4.x before 5.4.2 GA may have access to read-write administrators password hashes not including super-admins stored on the appliance via the webui REST API, and may therefore be able to crack them...
CVE-2016-7542
CVE-2016-7542 affects Fortinet FortiOS. A read-only administrator on FortiOS 5.2.x before 5.2.10 GA and 5.4.x before 5.4.2 GA can access read-write administrator password hashes stored on the appliance via the webUI REST API, enabling potential password cracking of non-super-admins. Public refere...
CVE-2016-7542
A read-only administrator on Fortinet devices with FortiOS 5.2.x before 5.2.10 GA and 5.4.x before 5.4.2 GA may have access to read-write administrators password hashes not including super-admins stored on the appliance via the webui REST API, and may therefore be able to crack them...
CVE-2016-7542
A read-only administrator on Fortinet devices with FortiOS 5.2.x before 5.2.10 GA and 5.4.x before 5.4.2 GA may have access to read-write administrators password hashes not including super-admins stored on the appliance via the webui REST API, and may therefore be able to crack them...
WordPress REST API Bug Could Be Used in Stored XSS Attacks
The recently patched WordPress REST API Endpoint vulnerability is the gift that keeps on giving. Already responsible for more than one million website defacements and attempts to monetize some of those attacks, the flaw also opens the door to a separate attack. Researchers at Sucuri who found the...
Cross site request forgery (csrf)
A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie...
CVE-2017-6081
A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie...
CVE-2017-5621
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. XSS can be triggered via malicious HTML in a chat message or the content of a ticket article, when using either the REST API or the WebSocket API...
CVE-2017-6080
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid...