CVE-2021-3442

A flaw was found in the Red Hat OpenShift API Management product. User input is not validated allowing an authenticated user to inject scripts into some text boxes leading to a XSS attack. The highest threat from this vulnerability is to data confidentiality...

Malicious Package

Overview @epc-apps/api-management-plan is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if...

API Security: Best Practices for a Changing Attack Surface

API usage is skyrocketing. According to the latest State of the API Report, API requests increased by 56% last year to a total of 855 million, and Google says the growth isn’t expected to slow any time soon. APIs – short for application programming interfaces – are a critical component of how...

Malicious code in arm-apimanagement (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5b574286818c404aa8d1adbaa13c53d6514164971a157061f7a5a385cd95a0f5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-233 Malicious code in @epc-apps/api-management-plan (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dcba229feeeaecf4b840caf01dc046b860329625fbae49197bcdbb35289561d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2021-30650

A reflected cross-site scripting XSS vulnerability in the Symantec Layer7 API Management OAuth Toolkit OTK allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting...

CVE-2021-30650

The CVE-2021-30650 issue affects Symantec Layer7 API Management OAuth Toolkit (OTK). It is a reflected XSS vulnerability where a remote attacker can craft a malicious URL targeting the OTK web UI, enabling injection of arbitrary code into the OTK web UI client application. Impact is described as ...

CVE-2021-30650

A reflected cross-site scripting XSS vulnerability in the Symantec Layer7 API Management OAuth Toolkit OTK allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

Code injection

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

CVE-2022-23008

Summary: CVE-2022-23008 affects the NGINX Controller API Management software (versions 3.18.0–3.19.0). Vulnerability: An authenticated user with the user or admin role can access undisclosed API endpoints to inject JavaScript that runs on managed NGINX data plane instances. The Red Hat advisory c...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

Apache Apisix Licensing Issue Vulnerability

Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation in the United States. The software is based on OpenResty and etcd for dynamic routing and plug-in hot-loading, and is suitable for API management in microservice systems. an authorization issue...

Moderate: Red Hat Security Advisory: Red Hat 3scale API Management 2.11.1 Release - Container Images

Red Hat 3scale API Management 2.11.1 Release - Container Images A security update for Red Hat 3scale API Management is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CV...

What Is API Management ❓ All That Novices To Experts Should Learn

The world of mobile and web app development revolves around API or Application Programming Interface. It’s a magic wand using which an application developer lets the applications correspond with each other. While you’re dealing with API, gaining acquaintances with API management operations, tools...

What is API Gateway ❓ How it works ❓

In general, a gateway is a passage that acts as a connector for 2 components to make them achieve certain functionality. API Gateway is not very different. However, it is a crucial topic to understand for many of us. Well, in this article, we have got you covered. Introduction to API Gateway: A...

Important: Red Hat Security Advisory: Red Hat 3scale API Management 2.11.0 Release - Container Images

Red Hat 3scale API Management 2.11.0 Release - Container Images A security update for Red Hat 3scale API Management is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System...

CVE-2021-41130

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...

Authorization

Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use ...