CVE-2021-29245

BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key...

CVE-2021-29245

BTCPay Server prior to or including 1.0.7.0 uses a weak method (Next) to generate pseudo-random values for a legacy API key, which is the root cause of this CVE. The supplied connected documents confirm the affected product/version and the underlying issue; no explicit exploitation details or rem...

PAN-OS: Administrator secrets are logged in web server logs when using the PAN-OS XML API incorrectly

An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to...

Potential API key leak

If a user is actively blackholing the location or weather APIs, or those APIs become otherwise unavailable, it is possible for the API keys to get leaked to the active IRC channel. This is patched in v1.2.4...

GHSA-63RQ-P8FP-524Q Potential API key leak

If a user is actively blackholing the location or weather APIs, or those APIs become otherwise unavailable, it is possible for the API keys to get leaked to the active IRC channel. This is patched in v1.2.4...

CVE-2021-24219

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...

GHSA-XW22-WV29-3299 ApiKey secret could be revelated on network issue

Impact What kind of vulnerability is it? Who is impacted? Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too Patches Has the problem been patched? What versions should users upgrade to? creharmony/node-etsy-client18 fixes this issu...

Scylla - The Simplistic Information Gathering Engine | Find Advanced Information On A Username, Website, Phone Number, Etc...

Scylla is an OSINT tool developed in Python 3.6. Scylla lets users perform advanced searches on Instagram & Twitter accounts, websites/webservers, phone numbers, and names. Scylla also allows users to find all social media profiles main platforms assigned to a certain username. In continuation,...

CVE-2021-24167 Web-Stat < 1.4.1 - API Key Disclosure

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

Information Disclosure

node-etsy-client is vulnerable to information disclosure. It leaks api key value secret through client error reports...

CVE-2021-21421 ApiKey secret could be revelated on network issue

node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later...

CVE-2021-21421

CVE-2021-21421 affects the node-etsy-client (Node.js Etsy REST API client). The issue is that applications reporting client errors to end users could leak the API key value in error output. The root cause is tied to how error information is exposed to end users. Mitigation is to upgrade to node-e...

PT-2021-14494 · Npm · Node-Etsy-Client

Name of the Vulnerable Software and Affected Versions: node-etsy-client versions prior to 0.3.0 Description: The issue affects applications using node-etsy-client, where client error reports to end users may inadvertently expose API key values. Recommendations: For versions prior to 0.3.0, update...

CVE-2020-35137

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work aka com.mobileiron. The key is in com/mobileiron/registration/RegisterActivity.java and can be used for...

Hardcoded credentials

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work aka com.mobileiron. The key is in com/mobileiron/registration/RegisterActivity.java and can be used for...

CVE-2020-35137

CVE-2020-35137 concerns MobileIron agents for Android and iOS (through 2021-03-22) that hardcode an API key in com/mobileiron/registration/RegisterActivity.java. This key is used to reach the SaaS discovery API via api/v1/gateway/customers/servers. The feature is opt-in and not enabled by default...

CVE-2020-35137

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work aka com.mobileiron. The key is in com/mobileiron/registration/RegisterActivity.java and can be used for...

Hestia Control Panel 1.3.2 - Arbitrary File Write

Title: Hestia Control Panel 1.3.2 - Arbitrary File Write Date: 07.03.2021 Author: Numan Türle Vendor Homepage: https://hestiacp.com/ Software Link: https://github.com/hestiacp/hestiacp Version: 1.3.3 Tested on: HestiaCP Version 1.3.2 curl --location --request POST...

Hestia Control Panel 1.3.2 - Arbitrary File Write Vulnerability

Title: Hestia Control Panel 1.3.2 - Arbitrary File Write Author: Numan Türle Vendor Homepage: https://hestiacp.com/ Software Link: https://github.com/hestiacp/hestiacp Version: 1.3.3 Tested on: HestiaCP Version 1.3.2 curl --location --request POST 'https://TARGET:8083/api/index.php' \ --form...

Insecure Access Control

shinobi uses insecure access controls. An attacker is able to access the User/Admin/Super API functions through the use of JS Proto Method names held in an internal JS Object and trick the System into accepting supplied API Key that exists in the underlying JS object...