OSIsoft PI Web API Cross-Site Scripting Vulnerability (CNVD-2020-51561)

OSIsoft PI Web API is a RESTful interface to a set of PI systems from the U.S. company OSIsoft. The product supports client applications to read and write access to their AF and PI data via HTTPS. A cross-site scripting vulnerability exists in the OSIsoft PI Web API, which can be exploited by an...

OSIsoft PI Web API 2019

1. EXECUTIVE SUMMARY CVSS v3 7.7 ATTENTION: Exploitable remotely Vendor: OSIsoft Equipment: PI Web API 2019 Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote authenticated attacker with write access to a PI Server to trick a...

The vulnerability of the REST API interface for controlling physical infrastructure and virtual environments in Cisco UCS Director and Cisco UCS Director Express for Big Data allows attackers to enhance their privileges.

The vulnerability of the REST API interface used for controlling physical infrastructure and virtual environments in Cisco UCS Director and Cisco UCS Director Express for Big Data is related to insufficient validation of input data. Exploiting this vulnerability can allow an attacker to enhance...

CVE-2020-4427

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process...

Cisco UCS Director and Cisco UCS Director Express for Big Data Path Traversal Vulnerability (CNVD-2020-25345)

Cisco UCS Director and Cisco UCS Director Express for Big Data are both products from Cisco, Inc. Cisco UCS Director is a heterogeneous platform for private cloud Infrastructure as a Service IaaS. Cisco UCS Director is a heterogeneous platform for private cloud infrastructure-as-a-service IaaS. A...

Huawei HG630 2 Router - Authentication Bypass Vulnerability

Exploit for hardware platform in category web applications Title: Huawei HG630 2 Router - Authentication Bypass Author: Eslam Medhat Vendor Homepage: www.huawei.com Version: HG630 V2 HardwareVersion: VER.B CVE: N/A POC: The default password of this router is the last 8 characters of the device's...

Apple Safari Flaws Enable One-Click Webcam Access

A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one maliciou...

Firefox Zero-Day Flaws Exploited in the Wild Get Patched

Mozilla patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. The flaws, both use-after-free bugs, have been part of “targeted attacks in the wild,” according to a Mozilla Foundation security advisory posted Friday. Both bugs have critical ratings and allow...

Vulnerability Spotlight: Intel Raid Web Console 3 denial-of-service bugs

Geoff Serrao of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered two denial-of-service vulnerabilities in the web API functionality of Intel RAID Web Console 3. The Raid Web Console is a web-based application that provides several configuration...

Intel Raid Web Console 3 add server denial-of-service vulnerability

Summary A remote, exploitable denial-of-service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can lead to a null pointer dereference in the Intel Raid Web Console server. This would result in a denial of service until the user restarts...

dnsFookup - DNS Rebinding Toolkit

DNS Rebinding freamwork containing: a dns server obviously web api to create new subdomains and control the dns server, view logs, stuff like that shitty react app to make it even more comfy What does it do? It lets you create dns bins like a burp collaborator but it adds a bit more features... a...

WSO2 API Manager Cross-Site Scripting Vulnerability (CNVD-2020-05074)

WSO2 API Manager is an open source api management platform , provides a series of api creation , release , lifecycle management , version control , monetization, governance and security features , used to support organizations to achieve soa. A cross-site scripting vulnerability exists in WSO2 AP...

The vulnerability of the REST API interface of the Cisco Data Center Network Manager system allows a attacker to perform arbitrary actions on the vulnerable device.

The vulnerability of the REST API interface of the Cisco Data Center Network Manager DCNM system is related to the use of pre-installed registration data. Exploiting this vulnerability allows a malicious actor to perform arbitrary actions on the vulnerable device remotely...

The vulnerability of the REST API interface of the Cisco Data Center Network Manager system allows a perpetrator to gain unauthorized access to protected information, affect data integrity, or execute arbitrary commands on the underlying operating system.

The vulnerability of the REST API interface of the Cisco Data Center Network Manager DCNM system is related to input validation errors. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information, compromise data integrity, or...

Cross-site Scripting (XSS)

nifi-web-api is vulnerable to cross-site scripting XSS. It does not handle error response properly, allowing an unauthenticated user when using the application with Firefox to inject malicious script via UI through action. Note: this vulnerability does occur in other browsers...

PT-2026-5160

Name of the Vulnerable Software and Affected Versions M/Monit version 3.7.4 Description An authenticated user can escalate privileges by manipulating the admin parameter. An attacker can send a crafted POST request to the /api/1/admin/users/update endpoint to grant administrative access to a...

PT-2019-6836 · Red Hat · Openshift Enterprise

Name of the Vulnerable Software and Affected Versions: OpenShift Enterprise version 1.2 Description: A CSRF issue was found in the web console, which uses 'Basic authentication', and the REST API lacks a CSRF attack protection mechanism. This allows an attacker to obtain credentials and the...

EXIST - Web Application For Aggregating And Analyzing Cyber Threat Intelligence

EXIST is a web application for aggregating and analyzing CTI cyber threat intelligence. EXIST is written by the following software. Python 3.5.4 Django 1.11.22 Concept EXIST is a web application for aggregating CTI to help security operators investigate incidents based on related indicators. EXIS...

Microsoft OAuth Flaw Opens Azure Accounts to Takeover

A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts. OAuth is a protocol that allows app users to share data about their accounts with third-party websites or apps, so that when they sign into the app...

CVE-2019-16243

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. This web API is normally used by the system application...