PT-2022-2569

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 2.12.1 Description: The issue concerns an authentication bypass vulnerability in Apache APISIX, where an attacker can exploit the batch-requests plugin to send requests and bypass the IP restriction of the Admin API. Th...

Mageia: Security Advisory (MGASA-2018-0308)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Insecure Session Management

pterodactyl/panel is vulnerable to insecure session management. The vulnerability exists in handle function in the AuthenticateKey.phpfile, allowing malicious attackers to compromises the API key generation and log in to the system...

Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks

Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion...

GHSA-7V3X-H7R2-34JV Insufficient Session Expiration in Pterodactyl API

Impact A vulnerability exists in Pterodactyl Panel authenticateApiKey$request-bearerToken, $keyType; - $this-auth-guard-loginUsingId$model-userid; + $this-auth-guard-onceUsingId$model-userid; For more information If you have any questions or comments about this advisory please reach out to Tactic...

Insufficient Session Expiration in Pterodactyl API

Impact A vulnerability exists in Pterodactyl Panel authenticateApiKey$request-bearerToken, $keyType; - $this-auth-guard-loginUsingId$model-userid; + $this-auth-guard-onceUsingId$model-userid; For more information If you have any questions or comments about this advisory please reach out to Tactic...

8x8: ████ api key exposed in github.com/███/███

@adnanmalikinfo identified a committed API key of a 3rd party SaaS platform for social marketing. We swiftly escalated to the repository owner, who restricted access...

CVE-2021-31821

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image...

CVE-2021-31821

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image...

Design/Logic Flaw

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image...

CVE-2021-31821

CVE-2021-31821 affects the Windows Tentacle docker image; on startup it logs commands and arguments, exposing the Octopus Server API key in plaintext. Linux Docker image is not affected. CVSS data indicate Confidentiality Impact HIGH (3.1; base 5.5) and Local, Low complexity access. No remediatio...

CVE-2021-31821

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image...

CVE-2022-0131

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...

Hardcoded credentials

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...

CVE-2022-0131

CVE-2022-0131 affects Jimoty App for Android prior to version 3.7.42, where a hard-coded API key for an external service is embedded in the app. The root cause is credential leakage from static API keys, enabling an attacker with local access to extract the key by analyzing the app’s data. Report...

CVE-2022-0131

Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...

Privilege Escalation

snipe-it is vulnerable to privilege escalation. The vulnerability exists due to lack of santization of the auth controls on api key creation...

JVN#49047921: Jimoty App for Android uses a hard-coded API key for an external service

Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service CWE-798. Impact API key for an external service may be obtained by analyzing data in the app. Note that a user is not directly affected by this vulnerability. Solution Update the Application Update t...

Security Bulletin: Multiple vulnerabilities affect IBM Observability with Instana

Summary Vulnerabilities detected in Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.2 affects IBM Observability with Instana Vulnerability Details CVEID: CVE-2019-7619 DESCRIPTION: Elastic Elasticsearch could allow a remote attacker to obtain sensitive information, caused by a flaw in...

Inclusion of Sensitive Information in Source Code in pimcore/demo

Description API Keys is hard coded in the application source code. The use of a hard-coded API Key has many negative implications. Proof of Concept "security" = "method" = "datahubapikey", "apikey" = "6332aa5e6d3d6c0be31da2a8b3442113", "skipPermissionCheck" = FALSE...