WP REST API (WP API) <= 1.2.2 - Cross-Site Scripting (XSS)

Requests from other origins could potentially run code on the API domain, allowing cross-origin access to authentication cookies or similar...

WordPress WP REST API Plugin <= 1.2.2 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

Design/Logic Flaw

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

CVE-2015-1905

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

CVE-2015-1906

Cross-site scripting XSS vulnerability in the REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted U...

CVE-2015-1905

CVE-2015-1905 affects IBM Business Process Manager (BPM) REST API in BPM versions 7.5.x–8.5.6.0. The vulnerability arises from insufficient authorization checks, allowing remote authenticated users to bypass intended access restrictions on task-variable value changes via the REST API. The IBM adv...

CVE-2015-1906

CVE-2015-1906 is an XSS vulnerability in the IBM Business Process Manager (BPM) REST API. A remote authenticated user can inject script via a crafted URL in BPM versions 7.5.x–8.5.6.0. Exploitation details are not provided beyond the vulnerability description. IBM’s advisory recommends installing...

CVE-2015-1905

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors...

Authentication flaw

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing...

CVE-2015-4637

CVE-2015-4637 affects F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2, and BIG-IQ ADC 4.5.0 before HF2. When LDAP remote authentication is enabled and the LDAP server allows anonymous BIND, an unauthenticated attacker can obtain an authentication token for arbitrary LDAP user acc...

CVE-2015-4637

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing...

CVE-2015-1961

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...

Design/Logic Flaw

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...

CVE-2015-1961

The REST API in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions and execute arbitrary JavaScript code on the server via a...

devel/ipython -- CSRF possible remote execution vulnerability

Kyle Kelley reports: Summary: POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery CSRF. Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython...

HP WebInspect REST API Unauthorized Access

Binary data hpwebinspectnoauthapi.nbin...

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

Advanced JQL Search does not Respect User email visibility Hidden

h4. Problem The advanced JQL autocomplete functionality is still showing email addresses, ignoring the User email visibility option. Basic mode does not show emails See screenshots h4. Steps to Reproduce Set User email visibility to Hidden JIRA Administration System General Configuration Edit Use...

CVE-2015-0746

The REST API in Cisco Access Control Server ACS 5.50.46.2 allows remote attackers to cause a denial of service API outage by sending many requests, aka Bug ID CSCut62022...