CVE-2021-46006

CVE-2021-46006 affects Totolink A3100R devices (V5.9c.4577). The vulnerability stems from an unauthenticated, API-like function in the fileing/test.asp, which allows an attacker to configure multiple settings without authentication. Documented impact includes exposure to unauthorized configuratio...

Vivoh Webinar Manager 授权问题漏洞

Vivoh Webinar Manager is a multicast application manager from the Vivoh team. A security vulnerability exists in the API prior to Vivoh Webinar Manager version 3.6.3.0 that stems from incorrect API authentication. When a user logs into the Management Configuration Web Portlet, a VIVOHAUTH cookie ...

Vulnerabilities fixed in Veeam Backup & Replication

Veeam has fixed vulnerabilities in Backup & Replication. A malicious party could exploit the vulnerabilities to execute of arbitrary code. To do so, the malicious party must access an internal API of the Veeam Distribution Service. For this no authentication is required. Veeam has released update...

PT-2022-8172 · Harbor · Harbor

Name of the Vulnerable Software and Affected Versions: Harbor versions 1.10.3 and earlier, Harbor versions 2.x before 2.0.1 Description: The issue allows unauthenticated API calls to reveal whether a resource exists via the HTTP status code, enabling resource enumeration. An attacker can make use...

DPD package sniffing

TL;DR An unauthenticated API call was identified in DPD Group’s public API that could allow a user with a valid package ID to, with some basic OSINT, discover the package’s destination postcode and thus obtain all details about the package. DPD Group were prompt in the triage and resolution of th...

Proofpoint Insider Threat Management Server SQL注入漏洞

Proofpoint Insider Threat Management Server is a server-side application from Proofpoint, Inc. that is used to prevent malicious operations by enterprise insiders. A security vulnerability exists in Proofpoint Insider Threat Management Server that stems from incorrect input validation of the...

Information disclosure

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information...

CVE-2021-22012

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information...

VMware vCenter Server < 7.0 U2d Multiple Vulnerabilities (VMSA-2021-0020)

The version of VMware vCenter Server installed on the remote host is prior to 7.0 U2d. It is, therefore, affected by multiple vulnerabilities: - An unauthenticated API endpoint vulnerability exists in the vCenter Server Content Library. An unauthenticated, remote attacker can exploit this to...

VMware vCenter Server updates address multiple security vulnerabilities

3a. vCenter Server file upload vulnerability CVE-2021-22005 The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. 3b. vCenter Server...

CVE-2021-22025

The vRealize Operations Manager API 8.x prior to 8.5 contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster...

in aquilacms/aquilacms

✍️ Description Unauthenticated API function allows any user to change OR view another user first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed. 🕵️‍♂️ Proof of Concept The attacker can guess the correct MongoDBobject ID and...

in amirsanni/mini-inventory-and-sales-management-system

💥 BUG unprivileged user can update stoke 💥 STEP TO REPDOUCE 1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .\ 2. Now goto user-B account and here user-B cant see any item.\ Now user-B execute...

Design/Logic Flaw

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints...

CVE-2021-33221

CommScope Ruckus IoT Controller (1.7.1.0 and earlier) exposes unauthenticated API endpoints. The Nuclei template details a service-details endpoint that leaks system/config data (DNS/NTP, hostname, version, etc.), a diagnostic endpoint that can generate CPU/disk-heavy files, and a reset endpoint ...

Western Digital WD My Book Live 访问控制错误漏洞

Western Digital WD My Book Live is a network storage device from Western Digital. A security vulnerability exists in Western Digital WD My Book Live 2.x and earlier versions and WD My Book Live Duo, which stems from the fact that the products have an administrator API that can be exploited by an...

CommScope Ruckus IoT Controller 1.7.1.0 Unauthenticated API Endpoints Vulnerability

Three API endpoints for the IoT Controller are accessible without authentication. Two of the endpoints result in information leakage and consumption of computing/storage resources. The third API endpoint that does not require authentication allows for a factory reset of the IoT Controller...

CommScope Ruckus IoT Controller 访问控制错误漏洞

The Commscope CommScope Ruckus IoT Controller is an IoT controller from Commscope, Inc. A virtual controller that integrates with the SmartZone controller to perform connectivity, device and security management functions for non-Wi-Fi devices. An access control error vulnerability exists in...

CommScope Ruckus IoT Controller 1.7.1.0 Unauthenticated API Endpoints

KL-001-2021-001: CommScope Ruckus IoT Controller Unauthenticated API Endpoints Title: CommScope Ruckus IoT Controller Unauthenticated API Endpoints Advisory ID: KL-001-2021-001 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-001.txt 1...

CommScope Ruckus IoT Controller Unauthenticated API Endpoints

Vulnerability Details Affected Vendor: CommScope Affected Product: Ruckus IoT Controller Affected Version: 1.7.1.0 and earlier Platform: Linux CWE Classification: CWE-306: Missing Authentication for Critical Function CVE ID: CVE-2021-33221 2. Vulnerability Description Three API endpoints for the...