CVE-2024-3185 Rapid7 Insight Agent Sensitive Key Exposed To Local Users

A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high privileges. This wa...

CVE-2024-3185

CVE-2024-3185 (Rapid7 Insight Agent/Rapid7 Platform) involves a misconfigured key in logging.json that, by default, does not adhere to the least-privilege principle and is exposed to local users. An attacker with local access could use this key to authenticate to the platform with elevated privil...

CVE-2024-32466

Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/projectId/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. S...

CVE-2024-32470 Tolgee' API keys created by server admin users bypass the permission check

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4...

CVE-2024-32470

Tolgee (open-source localization platform) contains a vulnerability in versions 3.57.2 through 3.57.3 where an API key created by a server/admin user can bypass permission checks. The issue enables elevated access without proper authorization, as admin-created API keys bypass the normal authoriza...

CVE-2024-32470 Tolgee' API keys created by server admin users bypass the permission check

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4...

CVE-2024-32466 Tolgee's API key scopes not checked when querying translation data

Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/projectId/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. S...

CVE-2024-32466 Tolgee's API key scopes not checked when querying translation data

Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/projectId/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. S...

CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt...

CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt...

PT-2024-24598 · Tolgee · Tolgee

Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.57.2 through 3.57.3 Description: Tolgee is an open-source localization platform. When an API key created by an admin user is used, it bypasses the permission check at all. Recommendations: For Tolgee versions 3.57.2 through...

CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt...

CVE-2023-4509

CVE-2023-4509 affects Octopus Server. The issue allows an API key to be logged in clear text in audit log files after an invalid login attempt, exposing credentials through log data. Affected: Octopus Server (audit/logging path). Root cause stated: API keys are written in plaintext to audit logs ...

CVE-2023-4509

It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt...

PT-2024-13214 · Octopus Deploy +1 · Octopus Server

Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: The issue allows an API key to be logged in clear text in the audit log file after an invalid login attempt. Recommendations: At the moment, there is no information about a newer version...

Download IP2Location Country Blocker < 2.34.3 - Cross-Site Request Forgery

Description The Download IP2Location Country Blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.34.2. This is due to missing or incorrect nonce validation on the validateapikey function. This makes it possible for unauthenticated attackers...

Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1

Summary Audit records for OpenAPI requests may include sensitive information. Impact Unauthorized access, privilege escalation. Mitigation Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, i...

CVE-2023-6777

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's...

CVE-2023-6777

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's...

CVE-2023-6777 WP Go Maps (formerly WP Google Maps) <= 9.0.34 - Information Exposure to Potential Denial of Service

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's...