CVE-2022-30290

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. An attacker can abuse the identified vulnerability in order to arbitrarily change their registered e-mail address as well as their API key, even though such action is not possible through...

Arbitrary template creation leading to Authenticated Remote Code Execution

Description Arbitrary File Write Reproduction Steps: 1. As a low privileged user, Create a new recipe and click on the "+" to add a New Asset. 2. Select a file, then proxy the request that will create the asset. 3. Update the values in the POST request to the ones shown below: POST...

Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana Labs reports: On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens bu...

Stripo Inc: Non-revoked API Key Information disclosure via Stripo_report()

Talking about 983331 reports where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys...

TrelloC2 - Simple C2 Over The Trello API

Simple C2 over Trello's API Proof-of-Concept By: Fabrizio Siciliano @0rbz Update 12/30/2019 Removed hardcoded API key and Token, use input instead. Requirements Python 3.x Setup 1. Create a Trello account: https://trello.com/signup 2. Once logged in, get your API key: https://trello.com/app-key 3...

Recipes Cross-Site Scripting Vulnerability (CNVD-2022-58298)

Recipes are apps for managing recipes, planning meals, creating shopping lists, and more. A cross-site scripting vulnerability exists in Recipes versions 1.0.5 through 1.2.5, which stems from a filtered escape of user data missing from the name parameter. A low-privileged attacker can exploit thi...

Recipes Cross-Site Scripting Vulnerability (CNVD-2022-58300)

Recipes are apps for managing recipes, planning meals, creating shopping lists, and more. A cross-site scripting vulnerability exists in Recipes versions 0.17.0 through 1.2.5, which stems from the vulnerability to stored cross-site scripting XSS in the "Name" field of the Keywords, Foods, and Uni...

Recipes Cross-Site Scripting Vulnerability (CNVD-2022-58299)

Recipes are apps for managing recipes, planning meals, creating shopping lists, and more. A cross-site scripting vulnerability exists in Recipes versions 1.0.5 through 1.2.5, which stems from a filtered escape of user data missing from the name parameter. A low-privileged attacker can exploit thi...

CVE-2022-23074

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and...

CVE-2022-23074

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and...

Cross site scripting

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and...

CVE-2022-23074 Recipes - Stored XSS in Name Parameter

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and...

CVE-2022-23074

Recipes CVE-2022-23074 affects versions 0.17.0–1.2.5, with Stored XSS in the Name field of Keyword, Food, and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, an XSS payload can be triggered. A low-privilege attacker could obtain the victim’s API key, potentially leading t...

CVE-2022-23073

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS...

Cross site scripting

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS...

CVE-2022-23073

Recipes (the Recipes application) is affected in versions 1.0.5–1.2.5 by a Stored XSS in the copy-to-clipboard functionality used on the food list page. The root cause is insufficient escaping of user-provided data in the Name field when creating a new Food, allowing a malicious payload to be sto...

CVE-2022-23073 Recipes - Stored XSS in Clipboard

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS...

CVE-2022-23072

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an X...

CVE-2022-23072

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an X...

Cross site scripting

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting XSS, in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an X...