PT-2023-28262 · WordPress · Poeditor

Name of the Vulnerable Software and Affected Versions: POEditor WordPress plugin versions prior to 0.9.8 Description: The issue is related to the lack of CSRF checks in various places within the plugin, allowing attackers to perform unwanted actions on logged-in admins, such as resetting the...

Poastal - The Email OSINT Tool

Poastal is an email OSINT tool that provides valuable information on any email address. With Poastal, you can easily input an email address and it will quickly answer several questions, providing you with crucial information. Features Determine the name of the person who has the email. Check if t...

Cross-Site Request Forgery (CSRF)

wallabag/wallabag is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the deleteClientAction function of DeveloperController.php as it does not properly validate the CSRF token, which allows an attacker to arbitrarily delete the API key by sending a GET request to the...

Wallabag user can delete own API client unintentionally

Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via /developer/client/delete/id This vulnerability has a CVSSv3.1 score of 6.5. You should immediately patch your instance to version 2.6.3 or higher if you have...

HEDnsExtractor - Raw Html Extractor From Hurricane Electric Portal

HEDnsExtractor Raw html extractor from Hurricane Electric portal Features Automatically identify IPAddr ou Networks through command line parameter or stdin Extract networks based on IPAddr. Extract domains from networks. Installation go install -v...

Robo Gallery < 3.2.16 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to:...

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

CVE-2023-4009

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

Privilege escalation

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

MongoDB Ops Manager Security Vulnerability

MongoDB Ops Manager is a solution from MongoDB, Inc. that supports the management, monitoring, and backup of MongoDB deployments. A security vulnerability exists in MongoDB Ops Manager versions prior to 5.0.22, 6.0.17, and 6.0.17, which originates from a user with Project Owner or Project User...

POEditor < 0.9.8 - Settings Reset via CSRF

Description The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. PoC...

Information Disclosure

gitlab is vulnerable to Information Disclosure. The vulnerability allows a project maintainer to access the DataDog integration API key from webhook logs resulting in disclosure of sensitive information...

CVE-2023-38510

Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's...

Code injection

Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's...

CVE-2023-38510 Tolgee Lacks Permission Check for API Key for some endpoints

Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's...

CVE-2023-38510 Tolgee Lacks Permission Check for API Key for some endpoints

Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's...

CVE-2023-38510

Tolgee CVE-2023-38510 affects Tolgee versions 3.14.0 through 3.23.1. The issue is that API-key requests bypass permission scope checks, effectively bypassing authorization for some endpoints. This vulnerability can enable unauthorized access if API keys are exposed on the internet; cases where ke...

HackerOne: Bypass report submit restriction/ban using the API key

A vulnerability was discovered that allowed banned researchers to submit reports through API keys, bypassing reporting restrictions. By creating an API key after an account was banned from submitting reports, a researcher could still submit reports to programs without restrictions, potentially...