CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability

A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys...

CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability

A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys...

PAN-OS: Exposure of Sensitive Information Vulnerability

A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys. Work around: This issue requires the attacker to have authenticated access to the PAN-OS management...

Information Disclosure

io.apiman: apiman-manager-api-rest-impl is vulnerable to Information Disclosure. An authenticated attacker is able to gain access to API keys they do not have permission for if they correctly guess the URL which includes Organisation ID, Client ID, and Client Version. Access to the non-permitted...

AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services,...

AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services,...

GHSA-M6F8-HJRV-MW5F Apiman vulnerable to permissions bypass due to missing check on API key URL

Impact Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted...

CVE-2023-28640

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

Design/Logic Flaw

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

CVE-2023-28640

Summary: CVE-2023-28640 affects Apiman. A missing permissions check allowed an authenticated Apiman Manager user to access API keys they should not Permissions by guessing a URL that includes Organisation ID, Client ID, and Client Version. This is not trivial but possible via brute-forcing or gue...

CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

Zero-day spells disaster for Bitcoin ATM

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency...

Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload...

Cross site request forgery (csrf)

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in users//logapi.txt in the case where the authentication fails. The issues occurs in authorizationToUser in greader.php. If there is an issue with the request or the credentials,...

CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in users//logapi.txt in the case where the authentication fails. The issues occurs in authorizationToUser in greader.php. If there is an issue with the request or the credentials,...

CVE-2023-22481

CVE-2023-22481 affects FreshRSS with its greader API. The failure paths unauthorized()/badRequest() print debugInfo(), which returns the request content, causing passwords or API keys to be logged in clear in users/_/log_api.txt (and optionally syslog if COPY_LOG_TO_SYSLOG is true). Exploitation ...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

Design/Logic Flaw

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...