CVE-2022-36923

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...

CVE-2022-36923

CVE-2022-36923 affects Zoho ManageEngine products (OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils) with an authentication bypass that allows an unauthenticated attacker to retrieve a user’s API key and use external APIs. T...

CVE-2022-36923

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...

CVE-2022-33201

Cross-Site Request Forgery CSRF vulnerability in MailerLite – Signup forms official plugin = 1.5.7 at WordPress allows an attacker to change the API key...

CVE-2022-33201

Cross-Site Request Forgery CSRF vulnerability in MailerLite – Signup forms official plugin = 1.5.7 at WordPress allows an attacker to change the API key...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in MailerLite – Signup forms official plugin = 1.5.7 at WordPress allows an attacker to change the API key...

CVE-2022-33201

CVE-2022-33201 affects the WordPress MailerLite – Signup forms (official) plugin, version 1.5.7 and earlier. The root cause is a missing CSRF check when updating the API key, enabling an attacker to change the API key via CSRF as described in multiple sources. The vulnerability is reported to imp...

PT-2022-21738 · WordPress · Mailerlite – Signup Forms Plugin

Name of the Vulnerable Software and Affected Versions: MailerLite – Signup forms plugin versions 1.5.7 and earlier Description: A Cross-Site Request Forgery CSRF issue allows an attacker to change the API key. This can be exploited by an attacker to make unauthorized changes. Recommendations: For...

Social Slider Feed < 2.0.6 - Admin+ Stored XSS via API Key

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the YT API Key settin...

Social Slider Feed < 2.0.6 - Admin+ Stored XSS via API Key

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the YT API Key...

WordPress Social Slider Feed plugin <= 2.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability via API Key discovered by WPScan in WordPress Social Slider Feed plugin versions = 2.0.5. Solution Update the WordPress Social Slider Feed plugin to the latest available version at least 2.0.6...

Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of which can be utilized to gain unauthorized access to Twitter accounts associated with them. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secre...

WordPress MailerLite – Signup forms (official) plugin <= 1.5.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to API key change discovered by Muhammad Daffa Patchstack Alliance in WordPress MailerLite – Signup forms official plugin versions = 1.5.7. Solution Update the WordPress MailerLite – Signup forms plugin to the latest available version at least...

WordPress Social Slider Feed plugin <= 2.0.4 - Authenticated Arbitrary API Key Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Authenticated Arbitrary API Key Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by WPScan in WordPress Social Slider Feed plugin versions = 2.0.4. Solution Update the WordPress Social Slider Feed plugin to the latest available version at least 2.0.5...

Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS

The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it PoC As any...

MailerLite - Signup forms (official) < 1.5.7 - API Key Update via CSRF

The plugin does not have CSRF check in place when updating its API key, which could allow attackers to make a logged in admin change it via a CSRF attack...

Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS

The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it As any authenticate...

JVN#40907489: "Hulu / フールー" App for Android uses a hard-coded API key for an external service

"Hulu / フールー" App for Android provided by HJ Holdings, Inc. uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved via reverse-engineering the application binary. Note that the application users are not directly affected by this vulnerability...

Malicious Package

Overview api-key-regex is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

Improper access control

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through...