CVE-2024-38453

The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024...

CVE-2024-38453

CVE-2024-38453 affects the Avalara for Salesforce CPQ app for Salesforce, prior to version 7.0. The vulnerability allows attackers to read an API key. The public notes indicate the current version is 11 as of mid-2024. The connected documents do not provide detailed root cause analysis, specific ...

CVE-2024-38453

The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024...

CVE-2024-38480

"Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability...

CVE-2024-38480

CVE-2024-38480 concerns the Piccoma App for Android and iOS prior to version 6.20.0, which contains a hard-coded API key for an external service. The root cause is the hard-coded key embedded in the app, enabling a local attacker to potentially obtain the API key. Per the sources, users of the ap...

CVE-2024-38480

"Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability...

CVE-2024-38480

"Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability...

CVE-2024-37282

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges...

CVE-2024-37282

CVE-2024-37282 affects Elastic Cloud Enterprise (ECE) where, under certain preconditions, an API key created with limited privileges could be used to create new API keys with elevated privileges. Affected versions are ECE after 3.0.0 and before 3.7.2. The mitigation is to upgrade to version 3.7.2...

CVE-2024-37282

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges...

CVE-2024-37282

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges...

JVN#01073312: "Piccoma" App uses a hard-coded API key for an external service

"Piccoma" App for Android and "Piccoma" App for iOS provided by Kakao piccoma Corp. use a hard-coded API key for an external service CWE-798. Impact Data in the app may be analyzed and API key for an external service may be obtained. Note that the users of the app are not directly affected by thi...

Sensitive Information Disclosure

@lobehub/chat is vulnerable to Sensitive Information Disclosure. The vulnerability is due to insecure handling of the base URL in the frontend, allowing an attacker to modify it to their own attack URL. The attacker can then set up a server-side request to obtain the real backend API key...

GHSA-P36R-QXGX-JQ2V Lobe Chat API Key Leak

Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Details The attack process is described above. PoC Frontend: 1. Pass basic...

Lobe Chat API Key Leak

Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Details The attack process is described above. PoC Frontend: 1. Pass basic...

CVE-2024-37895 API Key Leak in lobe-chat

Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issu...

CVE-2024-37895 API Key Leak in lobe-chat

Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issu...

CVE-2024-37895

CVE-2024-37895 affects Lobe Chat, an open-source LLM/AI chat framework. In affected versions, if an attacker can authenticate via SSO/Access Code, they can modify the frontend base URL to point to a malicious attack URL and trigger a server-side request, enabling retrieval of the real backend API...

BIT-ELASTICSEARCH-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

Lobe Chat Security Vulnerability

Lobe Chat is an open source, high performance chatbot framework. A security vulnerability exists in Lobe Chat versions prior to 0.162.25, which stems from the fact that if an attacker is able to successfully authenticate via SSO/Access Code, they can obtain the real back-end API key by modifying...