Improper Authentication

snipe/snipe-it is vulnerable to improper authentication. A remote authenticated attacker is able to access unauthorized files through the viewKeys function as long as they have the View permission, which exposes confidential information required to create the API keys without the corresponding...

How Uber was hacked in 2022

What happened? The first information about the incident was issued yesterday, September 15th, 2022. We know that a hacker called “Tea Pot” successfully accessed Uber infrastructure and critical cloud services such as AWS, Slack, Google Workspace, and others. Most likely, Uber understood what had...

CVE-2022-36073

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that...

Design/Logic Flaw

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that...

CVE-2022-36073 RubyGems allows creation of users with arbitrary unverified emails

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that...

CVE-2022-36073 RubyGems allows creation of users with arbitrary unverified emails

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. Having access to an account whose email has been changed could enable an attacker to save API keys for that...

PT-2022-23161 · Unknown · Rubygems.Org

Name of the Vulnerable Software and Affected Versions: RubyGems.org affected versions not specified Description: A bug in the password and email change confirmation code allowed an attacker to change their RubyGems.org account's email to an unowned email address. This could enable the attacker to...

Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services AWS credentials, posing a major security risk. "Over three-quarters 77% of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter...

Cross-Site Request Forgery (CSRF)

froxlor/froxlor is vulnerable to cross-site request forgery. The vulnerability exists due to the lack of security checks in the deleting api keys in apikeys.php, allowing an attacker to delete the api keys with the specified id by redirecting to the api key deletion endpoint through the GET reque...

Improper Authentication

Description There are two permissions not working correctly: The Licenses - View and Modify License Files & the Self - Create API Keys permission. License Files Files can be uploaded to licenses. There is a permission for users called View and Modify License Files. However, this permission is...

多款ZOHO ManageEngine产品安全漏洞

ZOHO ManageEngine OpManager etc. are products of ZOHO India.ZOHO ManageEngine OpManager is a comprehensive network monitoring software.ZOHO ManageEngine OpManager Plus is an IT operations management solution for Windows and Linux systems. ZOHO ManageEngine OpManager Plus is an IT operations...

Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of which can be utilized to gain unauthorized access to Twitter accounts associated with them. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secre...

Design/Logic Flaw

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm...

CVE-2016-4426

CVE-2016-4426 affects Zulip prior to 1.3.12, where bot API keys were accessible to other users in the same realm. Remediation: upgrade to Zulip 1.3.12 or later. NVD lists CVSS v3.1 base score 4.3 (Medium). No exploitation details are provided in the available documents.

CVE-2016-4426

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm...

PT-2022-7863 · Zulip · Zulip

Name of the Vulnerable Software and Affected Versions: Zulip versions prior to 1.3.12 Description: The issue allows bot API keys to be accessible to other users within the same realm. Recommendations: For versions prior to 1.3.12, update to version 1.3.12 or later to resolve the issue...

Planet Labs: Api data leak

A security vulnerability was identified where sensitive API keys were exposed through archived data accessible via the Wayback Machine. Some of these API keys were found to be valid...

U.S. Dept Of Defense: IDOR Lead To VIEW & DELETE & Create api_key [HtUS]

Hi Dod & Hackerone Team i hope you are Doing Well Today : Explaining: i found That a User With a Member Permission in a Organization Can Create & View & DELETE APIKEYS Step To Reproduce: 1 First Create 2 Accounts From Here https://███ 2 Log in With The Victim User and Create New Group From Here...

Jenkins OpsGenie Plugin Information Disclosure Vulnerability

Jenkins and Jenkins Plugin are both Jenkins open source products. jenkins is an application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is an application.An information disclosure vulnerability...

GHSA-7R65-PJGV-H2H9 Jenkins OpsGenie Plugin vulnerable to Cleartext Transmission of Sensitive Information

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration. Additionally, they are transmitted in plain text as part o...