Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. contains a command injection vulnerability. PowerCMS XMLRPC API provided by Alfasado Inc. Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the post function at /web/api/v1/upload/UploadHandler.php. An attacker could potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.Īn issue in the component /api/plugin/upload of Dataease v1.11.1 allows attackers to execute arbitrary code via a crafted plugin.Īn access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator. WMS 3.7 contains a Path Traversal Vulnerability in Device API. The attacker may potentially alter the docker images leading to a loss of integrity and confidentiality A remote unauthenticated attacker may potentially access and interact with the docker registry API leading to an authentication bypass. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.ĭigital Watchdog DW Spectrum Server 4.2 allows attackers to access sensitive infromation via a crafted API call.ĭell PowerProtect Cyber Recovery versions before 19.11.0.2 contain an authentication bypass vulnerability. This can be used to query the API which disclose medical information as well as id number.Ī bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system. Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. The url parameter of the /api/geojson endpoint in Metabase versions.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |