1826 matches found
WordPress plugin Google Places Reviews 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
CVE-2022-29453
Cross-Site Request Forgery CSRF vulnerability in API KEY for Google Maps plugin = 1.2.1 at WordPress leading to Google Maps API key update...
API KEY for Google Maps < 1.2.2 - Arbitrary API Key Update via CSRF
The plugin does not have CSRF in place when updating the API key, allowing attackers to make a logged in admin perform such action via a CSRF attack...
CVE-2022-22396
Credentials are printed in clear text in the IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.3 virgo log file in certain cases. Credentials could be the remote vSnap, offload targets, or VADP credentials depending on the operation performed. Credentials that are using API key or certificate are...
Design/Logic Flaw
Credentials are printed in clear text in the IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.3 virgo log file in certain cases. Credentials could be the remote vSnap, offload targets, or VADP credentials depending on the operation performed. Credentials that are using API key or certificate are...
Adobe: API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone
Adobe appreciates the work and partnership with this security researcher. We value the commitment and dedication to our external security community...
Notionterm - Embed Reverse Shell In Notion Pages
Embedreverse shell in Notion pages. Hack while taking notes FOR: Hiding attacker IP in reverse shell No direct interaction between attacker and target machine. Notion is used as a proxy hosting the reverse shell Demo/Quick proof insertion within report High available and shareable reverse shell...
Improper Privilege Management in Elasticsearch
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges...
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...
Jenkins CodeScan Plugin has Insufficiently Protected Credentials
CodeScan Plugin stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fi...
GHSA-JP8R-JH5J-CGWF Jenkins CodeScan Plugin has Insufficiently Protected Credentials
CodeScan Plugin stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fi...
HackerOne: Banned user still has access to their deleted account via HackerOne's API using their API key
The user's banned account could still be accessed using their previously generated API token, allowing them to perform actions such as retrieving reports, balance, earnings, payouts, weaknesses, and program information. This vulnerability was discovered and exploited on a test account...
WordPress Cliprs plugin cross-site scripting vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress Cliprs plugin 1.2.3 and earlier versions have a cross-site scripting vulnerability that stems from ...
Exposure of Sensitive Information in Jenkins Datadog plugin
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser...
GHSA-HF7W-F4H4-9XP8 Exposure of Sensitive Information in Jenkins Datadog plugin
The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration. While the API key is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the API key for example through browser...
Google Places Review < 2.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their...
CVE-2022-1559
The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...
CVE-2022-1559
The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...
CVE-2022-1559
The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...
Cross site scripting
The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...