Authentication flaw

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

CVE-2019-18933

CVE-2019-18933 affects Zulip Server versions 1.7.0 through

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

Design/Logic Flaw

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

CVE-2019-7619

CVE-2019-7619 affects Elasticsearch versions 7.0.0–7.3.2 and 6.7.0–6.8.3, where an unauthenticated attacker could use the API Key service to determine if a username exists in the native realm due to a username-disclosure flaw. The connected documents corroborate a username disclosure vulnerabilit...

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

Ping Identity: Google Maps API key leaked during device pairing

Summary: just on intercepting and going through the request i made from ort-admin.pingone.com . i found that the google map api key was leaking through get request . i was able to validate that the leaked key was a valid one Steps To Reproduce: 1.login to account goto setup tab ping iD device...

Information Disclosure

A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

Starbucks: JumpCloud API Key leaked via Open Github Repository.

Summary: Open Github Repo Leaking Starbucks JumbCloud API Key Description: Team, While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks. Repo: https://github.com/██████████/Project. File:...

Imperva: Data Breach Caused by Amazon Cloud Misconfiguration

Imperva, the security vendor, said this week that a misconfiguration of an Amazon Web Services AWS cloud instance allowed hackers to exfiltrate information on customers using its Cloud Web Application Firewall WAF product. Formerly known as Incapsula, the Cloud WAF analyzes requests coming into...

Shodan-Eye - Tool That Collects All The Information About All Devices Directly Connected To The Internet Using The Specified Keywords That You Enter

This tool collects all information about all devices that are directly connected to the internet with the specified keywords that you enter. This way you get a complete overview. The types of devices that are indexed can vary enormously: from small desktops, refrigerators to nuclear power plants...

NebulousAD - Automated Credential Auditing Tool

NebulousAD Automated Credential Auditing Tool. Installation Simply download the precompiled release requires no python interpreter, or build from source: Requires Python2.7 for now Run git clone [email protected]:NuID/nebulousAD.git Next, install with python setup.py install Then initialize...

X (Formerly Twitter): AppLovin API Key hardcoded in a Github repo

Hello, I found a Sensitive Data Exposure in github/mopub-android-mediation project, the AppLovin UI API key is hardcoded in source code. And in the comment it's mentioned that "This is a unique SDK Key from AppLovin. Get yours from the AppLovin UI". Github Link:-...

Buster - Find Emails Of A Person And Return Info Associated With Them

Buster is a simple OSINT tool used to: Get social accounts from various sourcesgravatar,about.me,myspace,skype,github,linkedin,avast Get links to where the email was found using google,twitter,darksearch and paste sites Get domains registered with an email reverse whois Generate possible emails a...

CVE-2019-1575

Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API in PAN-OS and...

CVE-2019-1575

Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API in PAN-OS and...

Information disclosure

Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API in PAN-OS and...

CVE-2019-1575

CVE-2019-1575 is a PAN-OS information disclosure affecting PAN-OS 7.1.x before 7.1.24, 8.0.x before 8.0.19, 8.1.x before 8.1.8-h5, and 9.0.x before 9.0.2-h4. An authenticated user with read-only privileges could extract the device API key and/or username/password from the XML API, potentially ena...