CVE-2023-28640

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

Design/Logic Flaw

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

CVE-2023-28640

Summary: CVE-2023-28640 affects Apiman. A missing permissions check allowed an authenticated Apiman Manager user to access API keys they should not Permissions by guessing a URL that includes Organisation ID, Client ID, and Client Version. This is not trivial but possible via brute-forcing or gue...

CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

K57735782: NGINX Controller API Management vulnerability CVE-2022-23008

Security Advisory Description An authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. CVE-2022-23008 Impact Successful exploitation...

Microsoft Azure Services Flaws Could've Exposed Cloud Resources to Unauthorized Access

Four different Microsoft Azure services have been found vulnerable to server-side request forgery SSRF attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API...

Directory Traversal

Gravitee API Management is vulnerable to path traversal. The vulnerability exists in the Email service due to an html injection which allows an attacker to read arbitrary files via a /management/users/register request...

GHSA-VP62-M958-QJ8C Gravitee API Management contains Path Traversal

This CVE addresses the partial fix for CVE-2019-25075 Gravitee API Management before 3.15.13 allows path traversal through HTML injection. A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary...

Gravitee API Management contains Path Traversal

This CVE addresses the partial fix for CVE-2019-25075 Gravitee API Management before 3.15.13 allows path traversal through HTML injection. A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary...

CVE-2022-38723

Gravitee API Management before 3.15.13 allows path traversal through HTML injection...

CVE-2022-38723

Gravitee API Management before 3.15.13 allows path traversal through HTML injection...

Apiman has potential permissions bypass

Impact Incorrect default permissions for certain read-only resources in the Apiman 1.5.7.Final through 2.2.3.Final in the Apiman Manager REST API allows a remote authenticated attacker to access information and resources in an Apiman Organizations they are not a member of and/or do not have...

GHSA-J94P-HV25-RM5G Apiman has potential permissions bypass

Impact Incorrect default permissions for certain read-only resources in the Apiman 1.5.7.Final through 2.2.3.Final in the Apiman Manager REST API allows a remote authenticated attacker to access information and resources in an Apiman Organizations they are not a member of and/or do not have...

CVE-2022-38723

Gravitee API Management before 3.15.13 allows path traversal through HTML injection...

PT-2023-13640 · Unknown · Gravitee Api Management

Name of the Vulnerable Software and Affected Versions: Gravitee API Management versions prior to 3.15.13 Description: The issue allows path traversal through HTML injection, potentially enabling anonymous users to read arbitrary files. This is achieved by combining HTML injection with path...

Gravitee API Management 路径遍历漏洞

Gravitee API Management is an open source Gravitee API management tool. A path traversal vulnerability exists in Gravitee API Management versions prior to 3.15.13, which stems from a vulnerability that allows an attacker to implement path traversal via HTML injection...

Duplicate Advisory: Apiman has insufficient checks for read permissions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references. Original Description Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A...

CVE-2022-37919

A vulnerability exists in the API of Aruba EdgeConnect Enterprise. An unauthenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition which prevents the appliance from properly responding to API requests in Aruba EdgeConnect...

YAPI SQL Injection Vulnerability

YAPI is an api management platform. YAPI is vulnerable to SQL injection, which can be exploited by attackers to obtain user token and cause command execution...