1825 matches found
CVE-2016-6266
cccaajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the 1 host or 2 apikey parameter in a register action, 3 enable parameter ...
ip-geolocation-map-bing NSE Script
This script queries the Nmap registry for the GPS coordinates of targets stored by previous geolocation scripts and renders a Bing Map of markers representing the targets. The Bing Maps REST API has a limit of 100 markers, so if more coordinates are found, only the top 100 markers by number of IP...
Mozilla Firefox Privilege Access Vulnerability
Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. Mozilla Firefox has a security vulnerability, an attacker can use the API key glocation in the broadcast protection through the pre-installed application to define the same permissions can be...
Ubiquiti Inc.: Exposed API-key allows to control nightly builds of firmwares (█████████ & ████████)
The researcher found a public API token that was mistakenly granted full-access permission, which allowed the creation/overwrite of nightly builds of UniFi Firmware. Publicly available api-key granted full access permissions to API that controls nightly builds of Ubiquiti firmwares, i.e. it was...
signup-demo.kapook.com Open Redirect vulnerability
Vulnerable URL: http://signup-demo.kapook.com/connect/kapook/?apikey=APIKEY=https://www.openbugbounty.org Details: Description| Value ---|--- Patched:| No Latest check for patch:| 27.07.2017 Vulnerability type:| Open Redirect Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not...
shodan-api NSE Script
Queries Shodan API for given targets and produces similar output to a -sV nmap scan. The ShodanAPI key can be set with the 'apikey' script argument, or hardcoded in the .nse file itself. You can get a free key from N.B if you want this script to run completely passively make sure to include the -...
Algolia: API Key added for one Indices works for all other indices too.
Hi, I created one API key and restricted it to only one index by adding it and gave it right for creating record. Now this api can be used to add records in other indeces in same account. Screenshot is attached...
Palo Alto Networks PAN-OS API Key Persistence Security Bypass (PAN-SA-2015-0006)
The Palo Alto Networks PAN-OS running on the remote host is a version prior to 6.1.7 or 7.x prior to 7.0.2. It is, therefore, affected by a security bypass vulnerability due to a failure to invalidate the local administrator API keys after a password change has been performed, the old keys being...
Palo Alto PAN-OS API Key Automatic Revocation Vulnerability (PAN-SA-2015-0006)
An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, an...
API key automatic revocation
An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating ...
ManageEngine OpManager - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'ManageEngine OpManager Remote Code Execution', 'Description' = %q This module exploits a default credential vulnerability in...
OWASP ZAP 2.4.1 - Penetration Testing Tool for Testing Web Applications
The OWASP Zed Attack Proxy ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration...
Just-Metadata - Tool that Gathers and Analyzes Metadata about IP Addresses
Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the...
CVE-2015-0260
CVE-2015-0260 affects RhodeCode prior to 2.2.7 and Kallithea 0.1, where remote authenticated users can obtain API keys and other sensitive information via the get_repo API method. Multiple connected sources (GitHub advisory GHSA-HHX9-4VW2-X54R, Veracode entry, NVD entry, and OSV/PYSEC records) co...
CVE-2015-0260
RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...
Multi Gather RubyGems API Key
This module obtains a user's RubyGems API key from /.gem/credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather RubyGems API Key', 'Description' = %q This module obtains a...
Vimeo: Misconfigured crossdomain.xml - vimeo.com
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses...
Enter: Stored XSS in api key of operator wallet
Make an operation wallet 2. Open wallet settings 3. Press "New key" 4. In source code remove "maxlength=30" of key's name input tag - no length check on server-side 5. Fill name input with "asdf" PoC 6. Press "Generate Key" 7. After that when open wallet settings we got XSS. 8. In case we can...
vBulletin 4.x SQL Injection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API post-auth ============================================================================ == Overview - -------- date : 10/12/2014 cvss : 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C base cwe : 89 vend...
vBulletin 4.x5.x - AdminCPApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
vBulletin 4.x5.x - AdminCPApiLog via xmlrpc API Authenticated Persistent Cross-Site Scripting CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API post-auth ================================================================================================ Overview...