CVE-2022-27610

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology DiskStation Manager DSM before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors...

PT-2022-15632 · Synology · Synology Calendar

Name of the Vulnerable Software and Affected Versions: Synology Calendar versions prior to 2.3.4-0631 Description: A Cross-Site Request Forgery CSRF issue in the webapi component allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. This could...

CVE-2022-27613

Improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors...

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

Code injection

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2021-36200 Metasys ADS/ADX/OAS with MUI

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2021-36200

CVE-2021-36200 affects Johnson Controls Metasys ADS/ADX/OAS with MUI, specifically versions 10 and 11. The vulnerability is missing authentication for a critical function, allowing an unauthenticated user to access the Metasys web API and enumerate users. CVSS v3 base score is 5.3 (AV:N/AC:L/PR:N...

CVE-2022-36305

Vesta v1.0.0-5 was discovered to contain a cross-site scripting XSS vulnerability via the body function at /web/api/v1/upload/UploadHandler.php...

Vesta Control Panel 跨站脚本漏洞

Vesta Control Panel VestaCP is an open source web hosting control panel. A security vulnerability exists in Vesta Control Panel version v1.0.0-5, which stems from the discovery that the post function via /web/api/v1/upload/UploadHandler.php contains a cross-site scripting XSS vulnerability...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

Authentication flaw

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

CVE-2022-33138 affects Siemens SIMATIC MV500 family (MV540 H/S, MV550 H/S, MV560 U/X): all versions before v3.3. The root cause is missing authentication for several web API endpoints, enabling an unauthenticated remote attacker to read and download data from the device. Siemens-Mitigation: updat...

pyathenastack 路径遍历漏洞

pyathenastack is a Web API project by olmax99 individual developers. Features a distributed backend staff for reading larger datasets and storing them to AWS S3. A path traversal vulnerability exists in pyathenastack version 2019-11-08 and earlier, which stems from an incorrect call to Flask's...

The vulnerability of the Git-based software platform for collaborative code development on GitLab, related to access control deficiencies, allows a perpetrator to gain unauthorized access to limited functions.

The vulnerability of the Git-based software platform for collaborative code development on GitLab is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to limited functions through the REST API...

UBUNTU-CVE-2022-29241

Jupyter Server provides the backend i.e. the core services, APIs, and REST endpoints for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of rootdir that contains the starting user's home directory, then the underlying REST API ca...

Apache Airflow Web API Detection

Binary data apacheairflowwebapidetect.nbin...

CVE-2022-20693

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input...