223 matches found
Magento OS command injection via the WebAPI
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...
OHDSI WebAPI vulnerable to SQL Injection
Observational Health Data Sciences and Informatics OHDSI WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java...
GHSA-2CHV-87WJ-PJV2 OHDSI WebAPI vulnerable to SQL Injection
Observational Health Data Sciences and Informatics OHDSI WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java...
CVE-2021-41112
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could...
CVE-2021-41111
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user...
CVE-2021-41111
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to versions 3.4.5 and 3.3.15, an authenticated user with authorization to read webhooks in one project can craft a request to reveal Webhook definitions and tokens in another project. The user...
Authorization
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In versions prior to 3.4.5, authenticated users could craft a request to modify or delete System or Project level Calendars, without appropriate authorization. Modifying or removing calendars could...
Rundeck Cross-Site Request Forgery Vulnerability
Rundeck is an open source automation service with a web console, command line tools and WebAPI from Rundeck, Inc. that is primarily used to run automation tasks. a cross-site request forgery vulnerability exists in Rundeck, which stems from the fact that users with access to the "system" resource...
CVE-2021-39133
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all...
Authentication flaw
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with ...
Cross site request forgery (csrf)
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all...
CVE-2021-39133
Summary: CVE-2021-39133 affects Rundeck; prior to versions 3.3.14 and 3.4.3 a user with admin access to the system resource type could be CSRF-ed into causing the server to run untrusted code. The issue exposes all Rundeck editions to potential code execution via CSRF. Affected versions: Rundeck ...
CVE-2021-28585
Magento versions 2.4.2 and earlier, 2.4.1-p1 and earlier and 2.3.6-p1 and earlier are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails...
CVE-2021-28585
Magento versions 2.4.2 and earlier, 2.4.1-p1 and earlier and 2.3.6-p1 and earlier are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails...
Input validation
Magento versions 2.4.2 and earlier, 2.4.1-p1 and earlier and 2.3.6-p1 and earlier are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails...
CVE-2021-28585 Magento Commerce improper input validation in customer customer webapi
Magento versions 2.4.2 and earlier, 2.4.1-p1 and earlier and 2.3.6-p1 and earlier are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails...
CVE-2021-28585
CVE-2021-28585 affects Magento Commerce/Open Source (Magento), specifically the New customer WebAPI. Affected are Magento versions 2.4.2 and earlier, 2.4.1-p1 and earlier, and 2.3.6-p1 and earlier. The root cause is Improper input validation in the New customer WebAPI, which could allow an attack...
Synology DiskStation Manager Information Disclosure Vulnerability (CNVD-2021-45741)
DiskStation Manager DSM is an operating system that runs on all Synology NAS and can be operated through an intuitive web interface. An information disclosure vulnerability exists in the webapi component of Synology DiskStation Manager prior to version 6.2.3-25426-3. A remote attacker can exploit...
CVE-2021-29087
Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology DiskStation Manager DSM before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors...
CVE-2021-29086
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager DSM before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors...