CVE-2022-1559

Clipr WordPress plugin

CVE-2022-1559 Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting

The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed...

WordPress plugin Clipr 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress Cliprs plugin 1.2.3 and earlier versions have a cross-site scripting vulnerability that stems from ...

Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key

An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. Additionally, the API key was not...

GHSA-3HW6-GC8H-9243 Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key

An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. Additionally, the API key was not...

Jenkins crittercism-dsym Plugin stores API key in plain text

Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

GHSA-PXGR-RC8G-PJ7R Jenkins crittercism-dsym Plugin stores API key in plain text

Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

Email-Prediction-Asterisks - Script That Allows You To Identify The Emails Hidden Behind Asterisks

Email prediction asterisks is a script that allows you to identify the emails hidden behind asterisks. It is a perfect application for osint analysts and security forces. It allows to intelligently predict, using Intelx leaks, which emails are related to the person we are looking for. It also...

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories. “We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in thei...

Server-Side Request Forgery (SSRF)

gibbon is vulnerable to server-side request forgery attacks. The vulnerability exists due to the lack of validation in api-key format which allows an attacker to send a crafted url and information spoofing...

CVE-2021-3681

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the buildignore list in "galaxy.yml" include files in the .tar.gz file. This contains sensitive info, such as the user's Ansible Galaxy A...

CVE-2021-3681

CVE-2021-3681 describes a flaw in Ansible Galaxy Collections where, during manual builds, any files in the repository not excluded by build_ignore in galaxy.yml are included inside the resulting .tar.gz. This can disclose sensitive data such as the user’s Ansible Galaxy API key and secrets from v...

GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. "An attacker abused stolen OAuth user tokens issued to two third-party...

CVE-2022-27851

Cross-Site Request Forgery CSRF in Use Any Font WordPress plugin = 6.1.7 allows an attacker to deactivate the API key...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF in Use Any Font WordPress plugin = 6.1.7 allows an attacker to deactivate the API key...

CVE-2022-27851

The CVE-2022-27851 entry concerns a CSRF vulnerability in the WordPress plugin Use Any Font, versions up to 6.1.7, that allows an attacker to deactivate the API key. Root cause: missing CSRF protection on the API key deactivation action. Impact: an attacker could cause a admin user to deactivate ...

CVE-2022-27851 WordPress Use Any Font plugin <= 6.1.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF in Use Any Font WordPress plugin = 6.1.7 allows an attacker to deactivate the API key...

CVE-2022-24812

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

Design/Logic Flaw

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

CVE-2022-24812

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...