1836 matches found
API key automatic revocation
An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating ...
ManageEngine OpManager - Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'ManageEngine OpManager Remote Code Execution', 'Description' = %q This module exploits a default credential vulnerability in...
OWASP ZAP 2.4.1 - Penetration Testing Tool for Testing Web Applications
The OWASP Zed Attack Proxy ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration...
Just-Metadata - Tool that Gathers and Analyzes Metadata about IP Addresses
Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the...
CVE-2015-0260
CVE-2015-0260 affects RhodeCode prior to 2.2.7 and Kallithea 0.1, where remote authenticated users can obtain API keys and other sensitive information via the get_repo API method. Multiple connected sources (GitHub advisory GHSA-HHX9-4VW2-X54R, Veracode entry, NVD entry, and OSV/PYSEC records) co...
CVE-2015-0260
RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the getrepo API method...
Multi Gather RubyGems API Key
This module obtains a user's RubyGems API key from /.gem/credentials. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Multi Gather RubyGems API Key', 'Description' = %q This module obtains a...
Vimeo: Misconfigured crossdomain.xml - vimeo.com
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses...
Enter: Stored XSS in api key of operator wallet
Make an operation wallet 2. Open wallet settings 3. Press "New key" 4. In source code remove "maxlength=30" of key's name input tag - no length check on server-side 5. Fill name input with "asdf" PoC 6. Press "Generate Key" 7. After that when open wallet settings we got XSS. 8. In case we can...
vBulletin 4.x SQL Injection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API post-auth ============================================================================ == Overview - -------- date : 10/12/2014 cvss : 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C base cwe : 89 vend...
vBulletin 4.x5.x - AdminCPApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
vBulletin 4.x5.x - AdminCPApiLog via xmlrpc API Authenticated Persistent Cross-Site Scripting CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API post-auth ================================================================================================ Overview...
Omeka 2.2 - CSRF And Stored XSS Vulnerability
Omeka version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities. !-- Omeka 2.2 CSRF And Stored XSS Vulnerability Vendor: Omeka Team CHNM GMU Product web page: http://www.omeka.org Affected version: 2.2 Summary: Omeka is a free, flexible, and open source...
Bitly Compromised, Users Urged to Change Passwords
Link shortening service Bitly informed its users Thursday that it believes user credentials – passwords, API keys and OAuth tokens – have been compromised. While the company claims there’s no real indication that any accounts were accessed without authorization, in a post on its blog the company...
WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution
------------ BACKGROUND ------------ "iMember360is a WordPress plugin that will turn a normal WordPress site into a full featured membership site. It includes all the protection controls you can imagine, yet driven by Infusionsoft's second-to-none CRM and e-commerce engine." --...
Palo Alto Networks PAN-OS 4.1.x < 4.1.16 / 5.0.x < 5.0.10 / 5.1.x < 5.1.5 API Key Bypass Flaw
The remote host is running a version of Palo Alto Networks PAN-OS prior to 4.1.16 / 5.0.10 / 5.1.5. It is, therefore, affected by an API key bypass flaw which allows a remote attacker to bypass the XML API key for a session that has already been authorized. Note that Nessus has not tested for thi...
Management API Key Bypass
An XML API key can be bypassed if a session has been authorized. This can be used in a CSRF or XSS attack. Ref 58976...
CVE-2014-1234
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
Design/Logic Flaw
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...
CVE-2014-1234
CVE-2014-1234 affects the paratrooper-newrelic gem (Ruby) v1.0.1. A local attacker can obtain the X-Api-Key by listing the curl process, due to leakage in the process tree. Impact is local exposure of the API key. Public patches or mitigations are not detailed in the provided documents; refer to ...
CVE-2014-1234
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process...