HealthForYou 1.11.1 / HealthCoach 2.9.2 Account Takeover Vulnerability

HealthForYou version 1.11.1 and HealthCoach version 2.9.2 have a vulnerability that allows for account takeover with only prior knowledge of the user's email address needed. Account takeover with only email address possible Overview Advisory ID: TRSA-2104-02 Advisory version: 1.0 Advisory status:...

HackerOne: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token.

Details Title: Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. Risk: High Impact: High Exploitability: High Target: baseurl parameter on UpdatePhabricatorIntegration mutation at /graphql endpoint. Introduction Sensitive data...

Exploit for Path Traversal in Gitlab

The warn For demonstration purpose and ethical hacking only...

GitLab Access Control Error Vulnerability (CNVD-2021-26106)

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. An Access Control Error vulnerability exists in GitLab...

CVE-2021-22171

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link...

CVE-2021-22171

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link...

CVE-2021-22171

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link...

Input validation

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link...

CVE-2021-22171

GitLab CVE-2021-22171 affects GitLab Pages in GitLab 11.5 and later. The root cause is insufficient validation of authentication parameters, enabling an attacker to steal a victim’s API token when the user clicks a maliciously crafted link. Documents consistently describe this vector as the impac...

CVE-2021-22171

Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link...

CVE-2021-22171

Removed by vendor...

Gitlab -- vulnerability

The GitLab Team reports: Ability to steal a user's API access token through GitLab Pages...

CVE-2019-16281

Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if token === apiToken return true; return false;" code block...

Code injection

Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if token === apiToken return true; return false;" code block...

CVE-2019-16281

Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if token === apiToken return true; return false;" code block...

CVE-2020-26261 user-readable api tokens in systemd units

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users...

h1-ctf: [H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties

Summary: 1. A publicly accessible logfile discloses a user's credentials 2. Weak 2FA implementation allows user account takeover 3. Path injection in user's cookie allows SSRF, bypassing the IP restriction to list available builds on https://software.bountypay.h1ctf.com/ 4. API token leak in...

HackerOne: Near to Infinite loop when changing Group's name that has API token as Team Member

Summary: The https://hackerone.com contains an iteration or loop with an exit condition that is near to infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory and even a DoS attack. Description: Hello...

Font Awesome 4.0.0-RC15 & RC16 - API Token & Access Token Disclosure

The vulnerability exposes the Font Awesome API token and access token for users who have configured the plugin to use a kit. If compromised, these tokens could give an unauthorized person access to that user’s list of kits and kit settings...

QIWI: Слив какого-то access токена

An error occurred while specifying quotation mark in the GET parameter userId https://api.qiwi.me/social-networks/vk?userId=lc%27 Error contained API Token of Piggibox Application from social network VKontakte. При добавлении кавычки в GET параметр userId...