GHSA-9J4F-F249-Q5W8 Default installation of `synthetic-monitoring-agent` exposes sensitive information

Impact Users running the Synthetic Monitoring agent in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed thru a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and...

CVE-2024-4447

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API UserSessionAjax.getSessionList.dwr calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack...

CVE-2024-4447

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API UserSessionAjax.getSessionList.dwr calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack...

CVE-2024-4447

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API UserSessionAjax.getSessionList.dwr calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack...

CVE-2024-24550

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious...

CVE-2024-24554 Bludit - Insecure Token Generation

Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API...

CVE-2024-24550

CVE-2024-24550 impacts Bludit via the File API, where an attacker with knowledge of the API token can upload arbitrary files, leading to arbitrary code execution on the server. The root cause is improper handling of file uploads, enabling PHP file uploads and execution. Affected software is Bludi...

CVE-2024-24550 Bludit - Remote Code Execution (RCE) through File API

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious...

HackerOne: 2FA requirement bypass when claiming bounty

Vulnerability description not provided...

GO-2024-2879 Dapr API Token Exposure in github.com/dapr/dapr

Dapr API Token Exposure in github.com/dapr/dapr...

CVE-2024-35223 Dapr API Token Exposure

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a...

Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

GHSA-284C-X8M7-9W5H Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

Important: Red Hat Security Advisory: RHACS 4.4 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes changes, bug fixes, and updates to patch vulnerabilities. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base...

Grafana Forward OAuth Identity Token can allow users to access some data sources

When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have...

LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction

Summary Get a valid API token, make sure you can access api functions, then replace string on my PoC code, Test on offical OVA image, it's a old version 23.9.1, but this vulerable is also exists on latest version 24.2.0 Details in file apifunctions.php, line 307 for function listdevices php $orde...

CVE-2023-49231

An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token...

CVE-2023-49231

An authentication bypass affecting Stilog Visual Planning 8 (pre-build 240207) is documented. A wildcard injection inside a prepared SQL statement in the REST API v2.0 enabled attackers to exfiltrate the REST API key and obtain an administrative API token, granting unauthenticated admin access. T...

CVE-2023-49231

An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token...

CVE-2023-49231

An authentication bypass vulnerability was found in Stilog Visual Planning 8. It allows an unauthenticated attacker to receive an administrative API token...