Information Disclosure in PAN-OS Management API Usage

An Information Disclosure vulnerability exists in PAN-OS Management API usage Ref PAN-107239 and PAN-118869 / CVE-2019-1575 Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API in PAN-...

Rock-ON - An All In One Recon Tool That Will Just Get A Single Entry Of The Domain Name And Do All Of The Work Alone

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a...

Spyse.Py - Python API Wrapper And Command-Line Client For The Tools Hosted On Spyse.Com

Python API wrapper and command-line client for the tools hosted on spyse.com. "Spyse is a developer of complete DAAS Data-As-A-Service solutions for Internet security professionals, corporate and remote system administrators, SSL / TLS encryption certificate providers, data centers and business...

CVE-2019-12794

An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins organization admins have the inherent ability to reset passwords for all of their organization's users. This, however, could be abused in a situation where the host organization of an instance...

CVE-2017-11559

An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack...

GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GetSimpleCMS Unauthenticated RCE", 'Description' = %q This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated...

GetSimpleCMS - Unauthenticated Remote Code Execution Exploit

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GetSimpleCMS Unauthenticated RCE", 'Description' = %q This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated...

GetSimpleCMS 3.3.15 Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "GetSimpleCMS Unauthenticated RCE", 'Description' = %q This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated...

GetSimpleCMS Unauthenticated RCE

This module exploits a vulnerability found in GetSimpleCMS, which allows unauthenticated attackers to perform Remote Code Execution. An arbitrary file upload PHPcode for example vulnerability can be triggered by an authenticated user, however authentication can be bypassed by leaking the cms API...

Zomato: Sending Unlimited Emails to anyone from zomato mail server.

Summary: Zomoto provides developers to get the rich data of restaurant from their API. https://developers.zomato.com/api But here there is a security issue that can we exploited against zomato's Simple Email Server on Aws. Description:When we request the apikey from zomato they ask us for our ema...

CVE-2019-9202

Nagios IM component of Nagios XI before 2.2.7 allows authenticated users to execute arbitrary code via API key issues...

CVE-2019-9202

Nagios IM component of Nagios XI before 2.2.7 allows authenticated users to execute arbitrary code via API key issues...

Input validation

Nagios IM component of Nagios XI before 2.2.7 allows authenticated users to execute arbitrary code via API key issues...

CVE-2019-9202

Nagios IM (component of Nagios XI) prior to 2.2.7 is vulnerable to an authenticated arbitrary code execution via API key issues. This CVE (CVE-2019-9202) is confirmed in Red Hat and other advisories, affecting Nagios IM versions

CVE-2019-9202

Nagios IM component of Nagios XI before 2.2.7 allows authenticated users to execute arbitrary code via API key issues...

Arjun v1.3 - HTTP Parameter Discovery Suite

Features Multi-threading 4 modes of detection A typical scan takes 30 seconds Regex powered heuristic scanning Huge list of 25,980 parameter names Makes just 30-35 requests to the target Usage Note: Arjun doesn't work with python 3.4 Discover parameters To find GET parameters, you can simply do:...

Information Disclosure

pact-js is vulnerable to information disclosure. Logs containing confidential information such as an AWS API Key are written into the log file in plain text as warnings when customProviderHeaders is used. This could potentially allow a local attacker to retrieve the information and perform furthe...

Nagios XI API Key Regeneration Privilege Escalation (CVE-2018-15711)

A privilege escalation vulnerability exists in the API component of Nagios XI. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation of this vulnerability would allow a remote attacker to gain unauthorized access...

Zendesk: Leaked artifactory_api_key via GitHub.

It was reported to Zendesk that a valid API key to an instance of Artifactory was unintentionally leaked via a public GitHub repository. We immediately rotated the key and investigated to ensure it was not utilized by any other party. We want to thank @rubyroobs for providing a detailed report...

Design/Logic Flaw

Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in...