CVE-2025-14197 Verysync 微力同步 Web Administration f96956469e7be39d information disclosure

A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed...

EUVD-2024-0920

Malicious code in bioql PyPI...

CVE-2023-51445

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2023-51445

GeoServer’s CVE-2023-51445 is a stored XSS in the REST Resources API. Affected versions prior to 2.23.3 and 2.24.0 allow an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources, which will execute in another administrator’s b...

CVE-2023-51445 GeoServer Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2023-51445 GeoServer Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...

GeoServer Cross-Site Scripting Vulnerability

GeoServer is an open source software server written in Java. It allows users to share and edit geospatial data. A cross-site scripting vulnerability exists in GeoServer versions prior to 2.23.3 and 2.24.0, which stems from a cross-site scripting vulnerability contained in the REST Resources API...

CVE-2023-6267 Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed deserialized prior to the security constraints being evaluated and applied. This does not happen with configuration based security...

CVE-2023-6267 Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed deserialized prior to the security constraints being evaluated and applied. This does not happen with configuration based security...

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.2.9.SP1 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

CVE-2021-43958

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials...

CVE-2019-8445

CVE-2019-8445 is an Atlassian Jira worklog information disclosure vulnerability. TALOS reports that Jira versions 7.6.4 through 8.1.0 are affected and that authenticated users can view worklog details via the REST endpoint /rest/api/2/worklog/list due to a missing permissions check. The vulnerabi...

CVE-2017-18105

The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation...

CVE-2018-20238

Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability...

The console login did not rotate the session id during login - CVE-2017-18105

The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the REST server. An attacker can execute commands as the user by producing a malicious link that, if clicked while the user is logged in, exploits the server. PoC Attacker puts something like this int...

Some of the REST resources in Navigator plugin are susceptible to XSRF attacks

Most of the REST resources in the Navigator plugin accept "x-www-form-urlencoded" bodies but do not check for an XSRF token when making mutative changes. For example: SaveFilterResource: Allow XSRF attack to change user's filter. SuppressedTipsResource UserSearchModeResource...

Some of the REST resources in Navigator plugin are susceptible to XSRF attacks

Most of the REST resources in the Navigator plugin accept "x-www-form-urlencoded" bodies but do not check for an XSRF token when making mutative changes. For example: SaveFilterResource: Allow XSRF attack to change user's filter. SuppressedTipsResource UserSearchModeResource...