CVE-2020-8657

An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key hardcoded as EONAPIKEY in include/apifunctions.php for API version 2.4.2 by default for all installations, hence allowing an attacker to calculate/guess the admin access token...

CVE-2020-8657

An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key hardcoded as EONAPIKEY in include/apifunctions.php for API version 2.4.2 by default for all installations, hence allowing an attacker to calculate/guess the admin access token...

CVE-2020-8657

An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key hardcoded as EONAPIKEY in include/apifunctions.php for API version 2.4.2 by default for all installations, hence allowing an attacker to calculate/guess the admin access token. Recent assessments: Assessed Attack...

ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection

Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection discovery Date: 2019-01-24 published : 2020-01-20 Exploit Author: AmirHadi Yazdani Vendor Homepage: https://www.manageengine.com/network-configuration-manager/ Software Link:...

CVE-2020-2095

Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system...

CVE-2020-2095

Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system...

CVE-2020-2095

CVE-2020-2095 affects the Jenkins Redgate SQL Change Automation Plugin (versions 2.0.4 and earlier). The vulnerability arises because an API key is stored unencrypted in job config.xml files on the Jenkins master, allowing viewing by users with Extended Read permission or access to the master fil...

CVE-2020-2095

Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system...

PT-2020-15301 · Redgate +1 · Jenkins Redgate Sql Change Automation Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Redgate SQL Change Automation Plugin versions 2.0.4 and earlier Description: The issue concerns the storage of an API key in an unencrypted form in job config.xml files on the Jenkins master. This allows users with Extended Read...

WP Simple Spreadsheet Fetcher For Google < 0.3.7 - Arbitrary API Key update via CSRF

The lack of Cross-Site Request Forgery CSRF checks on the plugin's settings page could allow CSRF attacks to set an arbitrary API key. PoC...

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

AttackSurfaceMapper - A Tool That Aims To Automate The Reconnaissance Process

Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It...

CVE-2019-19251

The Last.fm desktop app Last.fm Scrobbler through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts...

CVE-2019-19251

The Last.fm desktop app Last.fm Scrobbler through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts...

Exploit for Path Traversal in Ivanti Connect_Secure

pulsexploit Automated script for Pulse Secure SSL VPN exploit...

Nord Security: Connection informaton is sent to a third-party service

Application event data exposed through the reuse of API key The researcher reported that iOS app usage event information sent to the third party service can be intercepted through the reuse of API key. In order to resolve the issue we have disabled GET requests for API keys, removed the third par...

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...