Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Elastic Elasticsearch sensitive information disclosure vulnerabilitiy( CVE-2024-23451)

Summary Potential Elastic Elasticsearch sensitive information disclosure vulnerabilitiy CVE-2024-23451 has been identified that may affect IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-23451...

CVE-2024-48310

AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information...

MAL-2025-611 Malicious code in cschalk (npm)

This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6bc84195226616b9037825439862309922afde77ccd32cc2c6158025030d27b2 Any...

PT-2025-1272

Name of the Vulnerable Software and Affected Versions SimpleHelp remote support software versions 5.5.7 and before Description The issue allows low-privileges technicians to create API keys with excessive permissions, which can be used to escalate privileges to the server admin role. Attackers ca...

CVE-2024-57726

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role...

CVE-2024-12559

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...

CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...

CVE-2024-12559

CVE-2024-12559 affects the ClickDesigns WordPress plugin. A missing capability check in functions clickdesigns_add_api and clickdesigns_remove_api allows unauthenticated modification of the plugin’s API key across all versions up to 1.8.0. Public records confirm this can enable data modification ...

CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...

IBM Cognos Controller和IBM Controller 信任管理问题漏洞

IBM Cognos Controller and IBM Controller are both products of International Business Machines IBM.IBM Cognos Controller is a business intelligence and planning solution. The product features process automation, financial audit control, and the creation and management of financial reports.IBM...

WordPress ClickDesigns plugin <= 1.8.0 - Missing Authorization to API Key Modification or Removal vulnerability

Missing Authorization to API Key Modification or Removal vulnerability discovered by Ryan Zegar in WordPress Plugin ClickDesigns versions = 1.8.0...

1Password - Enterprise Password Manager: API Key Exposed in JavaScript File on 1Password Developer Site

An API key has been exposed in the JavaScript file accessible via the public developer documentation for 1Password. This exposure could potentially allow unauthorized access to APIs or services that rely on this key, leading to a range of security issues, including data leakage or unauthorized...

CVE-2024-32965 ssrf vulnerability in lobe-chat

Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header...

CVE-2024-32965 ssrf vulnerability in lobe-chat

Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header...

CVE-2024-10781

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'apikey' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for...

VulnCheck KEV: CVE-2024-10781

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'apikey' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for...

AnythingLLM Information Disclosure Vulnerability

AnythingLLM is a chatbot application that supports building using commercial or open source big language models combined with a private knowledge base. An information disclosure vulnerability exists in AnythingLLM, which can be exploited to obtain an API key from a process environment variable...

WordPress plugin Spam protection, Anti-Spam, FireWall by CleanTalk 安全漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the WordPress plugi...

Logging into webui as view only internal user provides overly privileged bearer key

Description When an user with the role "internaluserviewer" logs into the application they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application. The following steps are taken: An admin creates an Internal User with the role...

Authentication Bypass

OctoPrint is vulnerable to an Authentication Bypass. The vulnerability is due to inadequate session handling in OctoPrint, which allows an attacker with temporary control over an authenticated session to access or delete the API key without requiring reauthentication...