CAGE Web Design | Rolf Van Gelder Security Vulnerabilities

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019

This module exposes Drupal resources (e.g. entities) as RESTful web services. The module doesn't sufficiently restrict access for user...

Reportico Web fails to invalidate cookies upon logout

An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the...

Misleading UI design: Settings -> VPN

In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

WAPPLES Web Application Firewall <=6.0 - Hardcoded Credentials

WAPPLES Web Application Firewall through 6.0 contains a hardcoded credentials vulnerability. It contains a hardcoded system account accessible via db/wp.no1, as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file. An attacker can use this account to access system configuration and....

Amcrest IP Camera Web Management - Data Exposure

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative...

Juniper Web Device Manager - Cross-Site Scripting

Juniper Web Device Manager (J-Web) in Junos OS contains a cross-site scripting vulnerability. This can allow an unauthenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web, which can allow the attacker to steal...

KR-Web <=1.1b2 - Remote File Inclusion

KR-Web 1.1b2 and prior contain a remote file inclusion vulnerability via adm/krgourl.php, which allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT...

Smart Office Web 20.28 - Information Disclosure

An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to...

ZEROF Web Server 1.0 - SQL Injection

ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login...

T24 Web Server - Local File Inclusion

T24 web server is vulnerable to unauthenticated local file inclusion that permits an attacker to exfiltrate data directly from...

Microstrategy Web 7 - Local File Inclusion

Microstrategy Web 7 is vulnerable to local file inclusion via "/WebMstr7/servlet/mstrWeb" (in the parameter subpage). Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE:...

Web Directory Free < 1.7.0 - Unauthenticated SQL Injection

Description The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and...

Remote code execution in web server context

User with administrative privileges and upload files that look like images but contain PHP code which can then be executed in the context of the web...

Quttera Web Malware Scanner <= 3.4.1.48 - Sensitive Data Exposure

The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's...

Satellian Intellian Aptus Web <= 1.24 - Remote Command Execution

'Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be...

Joomla! Component Web TV 1.0 - Local File Inclusion

A directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and have possibly other unspecified impacts via a .. (dot dot) in the controller parameter to...

CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution

CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information,...

CVE-2022-22536

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the.....

Apache Zeppelin CSRF vulnerability in the Credentials page

Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior...

rolf-sander.net Improper Access Control vulnerability OBB-3860291

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have...

Artica Web Proxy 4.30 - OS Command Injection

Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via...

BOA Web Server 0.94.14 - Arbitrary File Access

BOA Web Server 0.94.14 is susceptible to arbitrary file access. The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges and without using access...

Centos Web Panel 0.9.8.480 - Local File Inclusion

Centos Web Panel version 0.9.8.480 suffers from local file inclusion vulnerabilities. Other vulnerabilities including cross-site scripting and remote code execution are also known to impact this...

ZEROF Web Server 2.0 - Cross-Site Scripting

ZEROF Web Server 2.0 allows /admin.back cross-site...

Tiny Java Web Server - Cross-Site Scripting

A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) &lt;=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error...

Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This...

CVE-2012-2212

McAfee Web Gateway 7.0 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher did not provide configuration details for the vulnerable...

SAP Web Application Server 6.x/7.0 - Open Redirect

frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2023-36478 DESCRIPTION: **Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer...

FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting

FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal...

CVE-2024-24804

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2023-22081 DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow a remote...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2023-21930 DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to...

Podlove Web Player < 5.7.4 - Missing Authorization to Unauthenticated Information Exposure

Description The Podlove Web Player plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /shortcode REST API endpoint in all versions up to, and including, 5.7.3. This makes it possible for unauthenticated attackers to view information they...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-20932 DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow a remote.....

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-20952 DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow a remote.....

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2023-40167 DESCRIPTION: **Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1...

CVE-2023-1671

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary...

Oracle iPlanet Web Server 7.0.x - Authentication Bypass

Oracle iPlanet Web Server 7.0.x has incorrect access control for admingui/version URIs in the Administration console, as demonstrated by unauthenticated read access to encryption keys. NOTE a related support policy can be found in the www.oracle.com references attached to this...

Mattermost crashes web clients via a malformed custom status

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom...

Ruby on Rails Web Console - Remote Code Execution

Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to...

SonicWall GMS and Analytics Web Services - Shell Injection

The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier...

Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting

PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...

CVE-2024-4328

A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick...

Aruba VAN SDN Controller Detection

Aruba Virtual Application Networks (VAN) Software Defined Networking (SDN) controller, a unified control point in an OpenFlow-enabled network, is running on the remote...

SolarWinds Web Help Desk - Web Detection

The web interface for SolarWinds Web Help Desk was detected on the remote...

Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to privilege escalation due to Spring-Web (CVE-2023-44794)

Summary IBM Sterling Connect:Direct Web Services uses Spring-Web. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2023-44794 DESCRIPTION: **Dromara SaToken and SpringBoot could allow a remote authenticated attacker to gain elevated...

GHSA-JJG7-2V4V-X38H vulnerabilities

Vulnerabilities for packages: dask-gateway, request-1276, ggshield, kubeflow-pipelines, py3-idna, confluent-docker-utils, kubeflow-pipelines-visualization-server, kubeflow-katib, kubeflow-jupyter-web-app, py3-cassandra-medusa, k8s-sidecar,...