Input validation

A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation...

Sql injection

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API...

Input validation

A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation...

CVE-2023-34422

CVE-2023-34422 affects Lenovo XClarity Administrator (LXCA). The vulnerability arises from insufficient input validation in a web API, allowing a valid, authenticated LXCA user with elevated privileges to delete folders in the LXCA filesystem via a crafted request. The CVE’s impact is described a...

CVE-2023-34421

A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation...

CVE-2023-34421

A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation...

CVE-2023-34421

CVE-2023-34421 affects Lenovo XClarity Administrator (LXCA). An authenticated LXCA user with elevated privileges can potentially replace filesystem data via a specially crafted web API call due to insufficient input validation. CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H (base score 6.5). Explo...

CVE-2023-34420

CVE-2023-34420 affects Lenovo XClarity Administrator (LXCA). A valid, authenticated LXCA user with elevated privileges may execute command injections via crafted calls to a specific web API. The vulnerability is confirmed in multiple feeds (NVD, Red Hat, CNVD, etc.). The available documents do no...

CVE-2023-34420

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API...

CVE-2023-34420

A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API...

CVE-2023-34418

A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API...

PT-2023-24869 · Lenovo · Lxca

Name of the Vulnerable Software and Affected Versions: LXCA affected versions not specified Description: A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation...

Lenovo XClarity Administrator SQL注入漏洞

Lenovo XClarity Administrator LXCA is a centralized resource management solution from Lenovo, China. The product provides agentless hardware management for servers, storage, network switches, and more. A security vulnerability exists in Lenovo XClarity Administrator that stems from an SQL injecti...

CVE-2023-35809

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges...

CVE-2023-33243

RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become be...

PT-2023-24994 · Ujcms · Ujcms

Name of the Vulnerable Software and Affected Versions: ujcms version 6.0.2 Description: The issue concerns a file upload vulnerability. It is exploited via the "/api/backend/core/web-file-upload/upload" API endpoint. Recommendations: For ujcms version 6.0.2, consider restricting access to the...

JIZHICMS 代码问题漏洞

Extreme Networks Technology JIZHICMS Extreme CMS is an open source content management system CMS from China's Extreme Networks Technology Company. A code issue vulnerability exists in JIZHICMS version 2.4.5, which stems from a problem with the file TemplateController.php, where manipulation of th...

CVE-2023-33236

MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs...

Checkmk 安全漏洞

Checkmk is an editor. Checkmk GmbH suffers from an authorization issue vulnerability that stems from improper RestAPI authorization, which can be exploited by an authenticated attacker to read arbitrary host configurations...

Design/Logic Flaw

DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.36 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, using object model traversal in the payload of a PATCH request, authenticated users with write access to an obje...