Information disclosure

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information...

CVE-2019-13516

CVE-2019-13516 affects OSIsoft PI Web API (and prior versions). The issue is a cross-site request forgery protection setting that has not taken effect, leaving the PI Web API vulnerable to direct attack. Affected products include PI Web API 2018 and earlier versions. Exploitation details are not ...

CVE-2019-13515

CVE-2019-13515 affects OSIsoft PI Web API 2018 and earlier, enabling disclosure of sensitive information via log files (CWE-532). The vulnerability exists in the PI Web API REST interface and is driven by how logs may contain sensitive data. Affected versions are PI Web API 2018 and prior. Remedi...

CVE-2019-13515

OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information...

OSIsoft PI Web API

1. EXECUTIVE SUMMARY CVSS v3 8.5 ATTENTION: Exploitable remotely Vendor: OSIsoft LLC Equipment: OSIsoft PI Web API Vulnerabilities: Inclusion of Sensitive Information in Log Files, Protection Mechanism Failure 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow direct...

CVE-2019-1889 Cisco Application Policy Infrastructure Controller REST API Privilege Escalation Vulnerability

A vulnerability in the REST API for software device management in Cisco Application Policy Infrastructure Controller APIC Software could allow an authenticated, remote attacker to escalate privileges to root on an affected device. The vulnerability is due to incomplete validation and error checki...

0xsp-Mongoose - Privilege Escalation Enumeration Toolkit (ELF 64/32), Fast, Intelligent Enumeration With Web API Integration

Using 0xsp mongoose you will be able to scan a targeted operating system for any possible way for privilege escalation attacks, starting from collecting information stage until reporting information through 0xsp Web Application API. user will be able to scan different Linux os system at the same...

DEBIAN-CVE-2018-18836

An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of webclientapirequestv1data in web/api/webapiv1.c...

CVE-2018-18837

CVE-2018-18837 affects Netdata 1.10.0 and is described as HTTP Header Injection via the api/v1/data filename parameter due to web_client_api_request_v1_data in web/api/web_api_v1.c. The vulnerability is categorized as a header injection issue (CVSS details shown in the entry: CVSSv3 base score 6....

CVE-2018-18837

An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of webclientapirequestv1data in web/api/webapiv1.c...

CVE-2019-1867

A vulnerability in the REST API of Cisco Elastic Services Controller ESC could allow an unauthenticated, remote attacker to bypass authentication on the REST API. The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted...

CVE-2019-5430

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page...

UBUNTU-CVE-2014-1427

A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2...

CVE-2019-5767

Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK...

CVE-2019-1679

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server VCS Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack ...

Kubernetes Web API Detection

Binary data kuberneteswebapidetect.nbin...

CVE-2018-1778

IBM LoopBack IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4 could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to...

Denial Of Service (DoS)

nifi-web-api is vulnerable to denial of service attacks. The vulnerability exists because there is a flaw in OkHttpReplicationClient.java which leads to missing content-Length check for DELETE requests and non-zero Content-Length header values when a client request to a cluster node was replicate...

Clickjacking Attack

nifi-web-api is vulnerable to clickjacking attacks. The vulnerability exists due to the way the X-Frame-Options headers were inconsistently applied on HTTP responses. This results in different outcomes such as duplicate, or missing security headers, causing some browsers to insecurely interpret t...

Cross-site Request Forgery (CSRF)

nifi-web-api is vulnerable to cross-site request forgery CSRF attacks. The vulnerability exists due to the lack of Cross-Origin Resource Sharing CORS filter applied to the template/upload endpoint, allowing requests from different domains in the origin to be accepted...