CVE-2022-24812

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

CVE-2022-24812 FGAC API Key privilege escalation in Grafana

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

CVE-2022-24812 FGAC API Key privilege escalation in Grafana

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

CVE-2022-24812

Grafana Enterprise FGAC API Key privilege escalation (CVE-2022-24812): when fine-grained access control is enabled and multiple API Keys exist in an organization, the API key permissions are cached for 30 seconds using a stale cache ID, causing subsequent requests to inherit previous admin permis...

CVE-2022-24812 FGAC API Key privilege escalation in Grafana

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...

WordPress Uleak Security Dashboard 1.2.3 Cross Site Scripting Vulnerability

Exploit Title: WordPress Plugin uleak-security-dashboard 1.2.3 - Stored Cross-Site Scripting Authenticated Date: 31-03-2022 Exploit Author: Hassan Khan Yusufzai - Splint3r7 Vendor Homepage: https://wordpress.org/plugins/uleak-security-dashboard/ Version: 1.2.3 Tested on: Firefox Contact me: h at...

Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed PoC Put the following payload in the API Key settings of the plugin: 'alert/XSS/...

Use Any Font < 6.2.1 - API Key Deactivation via CSRF

The plugin does not have CSRF check in place when deactivating its API key, which could allow attackers to make a logged in admin perform such action via a CSRF attack...

Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed Put the following payload in the API Key settings of the plugin: 'alert/XSS/ The XSS will be...

SearchIQ < 3.9 - Unauthenticated Stored XSS

The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter Once the plugin is configur...

ASSAMEE - Free Advance Encryptor For Anon Cloud

ASSAMEE is a free Advance encryptor for Anonfiles. It uses an advanced encryption method to encrypt the directory with AES-256. The data will store on anonfiles.com in an encrypted format. The ASSAMEE requires a download ID to download and decrypt the data from Anonfiles. Downloading encrypted da...

APISIX Admin API default access token RCE

Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass the IP...

CVE-2022-24327

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions...

CVE-2022-24327

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions...

Code injection

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions...

CVE-2022-24327

In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions...

CVE-2022-24327

Summary: CVE-2022-24327 affects JetBrains Hub prior to 2021.1.13890, where the JetBrains Account integration exposed an API key with excessive permissions. The vulnerability stems from improper access controls during account integration, enabling an attacker who could exploit the exposed key to a...

Petfinder Listings < 1.1 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of the text field settings of the plugin such as 'Your Petfinder API Key v1.0': "...

Petfinder Listings < 1.1 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the text field settings of the plugin such as 'Your Petfinder API Key v1.0': "...

Microsoft Warns of 'Ice Phishing' Threat on Web3 and Decentralized Networks

Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while it's still in its early stages. The company's Microsoft 365 Defende...