Vulnerability of the web-API service provided by Junos routers of the NFX Series and SRX Series; allowing attackers to obtain the secret key for the web-API service

The vulnerability of the web-API service of Junos router series NFX and SRX is related to errors in managing cryptographic keys. Exploiting this vulnerability can allow an attacker to obtain the secret key for the web-API service...

CVE-2021-26685

A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager versions: Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct SQL injection attack...

ASSA ABLOY Yale WIPC-303W Operating System OS Command Injection Vulnerability

ASSA ABLOY Yale WIPC-303W is a home smart camera from ASSA ABLOY, Sweden. The ASSA ABLOY Yale WIPC-303W 2.21 through 2.31 camera suffers from an operating system command injection vulnerability that stems from command injection in the HTTP API and is susceptible to Remote Command Execution RCE...

PT-2021-10950 · Yale · Yale Wipc-303W

Name of the Vulnerable Software and Affected Versions: Yale WIPC-303W versions 2.21 through 2.31 Description: The issue allows for remote command execution through command injection via the HTTP API. Recommendations: For versions 2.21 through 2.31, update to a version that is not affected by this...

CVE-2021-1135

Multiple vulnerabilities in the REST API endpoint of Cisco Data Center Network Manager DCNM could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. For more information about these vulnerabilities, see the Details section of this advisory...

Cisco IoT Field Network Director Elevation of Privilege Vulnerability

Cisco IoT Field Network Director FND is a network management system for large-scale FAN deployments. An elevation of privilege vulnerability exists in the REST API of Cisco IoT Field Network Director versions prior to 4.6.1. The vulnerability stems from the software failing to properly authentica...

CVE-2020-3531

A vulnerability in the REST API of Cisco IoT Field Network Director FND could allow an unauthenticated, remote attacker to access the back-end database of an affected system. The vulnerability exists because the affected software does not properly authenticate REST API calls. An attacker could...

The vulnerability of the integration component of the Magento Commerce software development and management platform, related to authentication errors, allows attackers to gain unauthorized access to protected information and delete customer data through the REST API without authorization.

The vulnerability of the integration component of the Magento Commerce software for online store development and management is related to authentication errors. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected information and delete customer data throug...

CVE-2020-25209

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API...

Leonidas - Automated Attack Simulation In The Cloud, Complete With Detection Use Cases

Leonidas is a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures TTPs and their associated detection properties. These definitions can then be compiled into: A web API exposing each test case as an...

Dell OpenManage Server Administrator Path Traversal (DSA-2020-172)

The version of Dell OpenManage Server Administrator OMSA running on the remote host is affected by a path traversal vulnerability due to improper sanitization of user-supplied input to a web API request. An unauthenticated, remote attacker can exploit this, via a crafted request, to gain file...

Junos OS SRX/NFX Elevation of Privilege Vulnerability

The Junos OS SRX/NFX is a switch from Juniper Networks. A security vulnerability exists in the Junos OS SRX/NFX's handling of Web API private keys, which can be exploited by a remote attacker to submit a special request that can elevate privileges...

CVE-2020-1688

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an...

Authentication flaw

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an...

CVE-2020-1688

Technical details (affected products/versions/impact/fix) are not publicly available in the provided connected documents. Monitor for updates.

CVE-2020-1688 Junos OS: SRX and NFX Series: Insufficient Web API private key protection

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an...

PT-2020-4582 · Adobe · Magento

Name of the Vulnerable Software and Affected Versions: Magento versions 2.4.0 and 2.3.5p1 and earlier Description: The issue is related to incorrect permissions within the Integrations component, which could be exploited by users with permissions to the Pages resource to delete cms pages via the...

Cisco Industrial Network Director Denial of Service Vulnerability

Cisco Industrial Network Director IND is an industrial automation management system from Cisco. The system achieves automation management by visualizing the industrial Ethernet infrastructure. A denial of service vulnerability exists in the management REST API in Cisco Industrial Network Director...

CVE-2020-15243

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the...

Authentication flaw

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the...