1828 matches found
CVE-2019-19251
The Last.fm desktop app Last.fm Scrobbler through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts...
CVE-2018-1999031
An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration...
CVE-2015-1613
RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the 1 updaterepo, 2 getlocks, or 3 getusergroups API method...
CVE-2025-3853
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2025-3853
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2025-3853 WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2025-3853 WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callbackgenerateapikey due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2025-3853
CVE-2025-3853 affects WPshop 2 – E-Commerce for WordPress (versions 2.0.0–2.6.0). The vulnerability is an Insecure Direct Object Reference in the callback_generate_api_key() function due to missing validation on a user-controlled key. Exploitation requires authenticated access at Subscriber level...
PT-2025-19909 · WordPress · Wpshop 2
Name of the Vulnerable Software and Affected Versions: WPshop 2 – E-Commerce plugin for WordPress versions 2.0.0 through 2.6.0 Description: The issue allows authenticated attackers with Subscriber-level access and above to create valid API keys on behalf of other users due to missing validation o...
WakaTime: user api key leaked
The user's API key was found exposed in an older URL while testing the WakaTime tool. The API key successfully authenticated requests to a restricted endpoint, indicating that it was valid and granted access to protected resources...
CVE-2025-3102
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secretkey' value in the 'autheticateuser' function in all versions up to, and including, 1.0.78. Th...
Nagios Log Server 2024R1.3.1 - API Key Exposure
Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure Date: 2025-04-08 Exploit Author: Seth Kraft, Alex Tisdale Vendor Homepage: https://www.nagios.com/ Vendor Changelog: https://www.nagios.com/changelog/log-server Software Link: https://www.nagios.com/products/log-server/download/...
CVE-2025-3102
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secretkey' value in the 'autheticateuser' function in all versions up to, and including, 1.0.78. Th...
PT-2025-15910
Name of the Vulnerable Software and Affected Versions OttoKit formerly SureTriggers versions 1.0.0 through 1.0.78 Description The vulnerability is related to an authentication bypass issue in the OttoKit WordPress plugin, which allows unauthenticated attackers to create administrator accounts on...
RubyGems: Memory leak in gem decode logic can allow attacker to take down Rubygems.org application
A memory leak vulnerability was discovered in the gem decode logic of the Rubygems.org application. The vulnerability allowed an attacker with a valid API key to set arbitrary instance variables during the decoding of gem metadata, which would cause the server to exhaust its memory. The issue was...
CVE-2025-31727
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
CVE-2025-31728
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...
Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted
Jenkins Cadence vManager Plugin 4.0.0-282.v5096ac2db275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins...
Jenkins AsakusaSatellite Plugin Does not Mask API Keys via Job Configuration Form
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
CVE-2025-31728
Jenkins AsakusaSatellite Plugin 0.1.1 and earlier does not mask AsakusaSatellite API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...