Code injection

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. This web API is normally used by the system application...

CVE-2019-16243

CVE-2019-16243 affects TCL Alcatel Cingular Flip 2 B9HUAH1. An undocumented web API accessible from unprivileged JavaScript (including KaiOS browser) lets an attacker view and edit the device’s firmware OTA update settings; this API is normally used by OmaService.js by the system app. The root ca...

CVE-2019-16243

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. This web API is normally used by the system application...

Improper Session Management

nifi-web-api does not properly handle the authentication tokens. When using an authentication mechanism other than PKI, nifi-web-api does not invalidate the server-side authentication tokens when the user clicks log out. This results in the session being valid for another 12 hours despite logging...

Information Disclosure

nifi-web-api is vulnerable to information disclosure. The vulnerability exists as the response included details about processors and controller services even when the user does not have access to them...

CVE-2019-12612

An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup...

CVE-2019-12612

An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup...

Design/Logic Flaw

An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup...

CVE-2019-12612

An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that allows an attacker to pass arbitrary code to the BOX appliance via the web API. In order to exploit this vulnerability, an attacker needs presence in Bitdefender BOX setup network and Bitdefender BOX be in setup...

Cisco HyperFlex Web API Detection

Binary data ciscohyperflexwebapidetect.nbin...

CVE-2019-16101

Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows remote attackers to obtain potentially sensitive stack traces by sending incorrect JSON data to the REST API, such as the rest/json/banners URI...

ASUS SmartHome Gateway HG100 Denial of Service Vulnerability

ASUS SmartHome Gateway HG100 is a smart home central control gateway device from ASUS, Taiwan, China. A security vulnerability exists in the web api server on port 8080 in the ASUS SmartHome Gateway HG100 using firmware version 1.05.12 and earlier. An attacker could exploit this vulnerability to...

0xsp Mongoose v1.7 - Linux/Windows Privilege Escalation intelligent Enumeration Toolkit

Using 0xsp mongoose you will be able to scan targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API. user will be able to scan different Linux / windows Operation...

CVE-2019-11060

The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service DoS by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time...

CVE-2019-11063 SmartHome application has a broken access control vulnerability in its Web API Server

A broken access control vulnerability in SmartHome app Android versions up to 3.0.42190515, ios versions up to 2.0.22 allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway HG100 via http://target/smarthome/devicecontrol witho...

CVE-2019-11061 HG100 has a broken access control vulnerability in its Web API Server

A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://target/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 Confidentiality, Integrity...

CVE-2019-13516

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect...

CVE-2019-13516

In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect...

CVE-2019-13515

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information...

CVE-2019-13515

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information...