Stripo Inc: Insecure Storage and Overly Permissive API Keys

Summary: I am surfing on the stripo.email website. I found a sensitive data including authentication key/secrettoken written in public accessible subdo. We found a aviaryApiKeyand other secretkey exposed in staging.empleio.stripo.email. Risk Factors: Most often Developers for their ease of...

CVE-2021-32790

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors already having admin access, or API keys to the WooCommerce site can exploit vulnerable...

Sql injection

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors already having admin access, or API keys to the WooCommerce site can exploit vulnerable...

Privilege Escalation

ghost is vulnerable to privilege escalation. Any user is able to access Admin-level API keys and gain access to secured functions...

Privilege escalation: all users can access Admin-level API keys

Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. GhostPro has already been patched. Self-hosters are impacted ...

GHSA-J5C2-HM46-WP5C Privilege escalation: all users can access Admin-level API keys

Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. GhostPro has already been patched. Self-hosters are impacted ...

Cariddi - Take A List Of Domains, Crawl Urls And Scan For Endpoints, Secrets, Api Keys, File Extensions, Tokens And More...

Take a list of domains, crawl urls andscan for endpoints, secrets, api keys, file extensions, tokens and more... Preview Installation You need Go. Linux git clone https://github.com/edoardottt/cariddi.git cd cariddi go get make linux to install make unlinux to uninstall Or in one line: git clone...

CVE-2021-33220

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...

Hardcoded credentials

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...

CVE-2021-33220

CVE-2021-33220 affects CommScope Ruckus IoT Controller, version 1.7.1.0 and earlier. The vulnerability stems from hard-coded API keys embedded in the OVA image and web application code, which can be exposed when the filesystem is mounted. Reported impact includes exposure of API keys that can be ...

CVE-2021-33220

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...

Automated remediation level 4: Actual automation

Let’s get to automatically remediating already! This entry will be the last in our series based on The 4 Levels of Automated Remediation. After the previous 3 steps—where we discussed everything from logging to best practices to account hygiene—it’s time to talk about the actions that really let...

Advisory ROSA-SA-2021-1857

Software: junit 4.11 OS: Cobalt 7.9 CVE-ID: CVE-2020-15250 CVE-Crit: MEDIUM CVE-DESC: In JUnit4, from version 4.7 through 4.13.1, the TemporaryFolder test rule contains a local information disclosure vulnerability. In Unix-like systems, a system's temporary directory is shared by all users on tha...

Cortex XSOAR: Unauthorized Usage of the REST API

An improper authorization vulnerability in Palo Alto Networks Cortex XSOAR enables a remote unauthenticated attacker with network access to the Cortex XSOAR server to perform unauthorized actions through the REST API. Work around: Until the XSOAR server is upgraded, to completely prevent the issu...

CVE-2021-23020

The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys...

Code injection

The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys...

CVE-2021-23020

The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys...

CVE-2021-23020

CVE-2021-23020 affects F5 NGINX Controller (NGINX Controller, NAAS API keys) where API keys are generated with an insecure pseudo-random string and hashing algorithm, potentially allowing a local attacker to predict/generate valid keys for access. Exploitation status is not detailed in the provid...

CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded API Keys Exposed Vulnerability

CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded API Keys Exposed Vulnerability 1. Vulnerability Details Affected Vendor: CommScope Affected Product: Ruckus IoT Controller Affected Version: 1.7.1.0 and earlier Platform: Linux CWE Classification: CWE-798: Use of Hard-coded Credentials CVE ID:...

CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded API Keys Exposed

KL-001-2021-002: CommScope Ruckus IoT Controller Hard-coded API Keys Exposed Title: CommScope Ruckus IoT Controller Hard-coded API Keys Exposed Advisory ID: KL-001-2021-002 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-002.txt 1. Vulnerabilit...