Starbucks: Full Api Access and Run All Functions via Starbucks App

The tested application is Starbucks Turkey Android App. https://play.google.com/store/apps/details?id=com.starbucks.tr&hl=en All these things are made without any login. I did not login the app. 1. I tried to intercept traffic between starbucks app and server with burp suite. I could not be...

SUSE-SU-2017:1233-1 Security update for openstack-magnum

This update for openstack-magnum fixes the following issues: Security issues fixed: - CVE-2016-7404: Magnum created instances have full API access to creating user's OpenStack account bsc998182. Bugfixes: - Fixed exception for InvalidParameterValue. - Updated patches have been tested against...

DEBIAN-CVE-2016-6335

MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php...

X (Formerly Twitter): CSRF on Periscope Web OAuth authorization endpoint

Hi, I would like to report an issue in the OAuth authorization endpoint on Periscope Web. This allows a malicious 3rd party application to gain full API access to a victim's Periscope account. Details Periscope has developer APIs that allow a 3rd party application to access resources on behalf of...

Information Disclosure

spark-core is vulnerable to information disclosure. The vulnerability is possible due to a flaw in the security filter not performing authentication at the application level but instead at the roof of the UI. Therefore, the data and application in the SHS can be accessed through the REST API by a...

Security vulnerabilities fixed in Firefox ESR 45.6 — Mozilla

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption. Event handlers on marquee elements were executed despite a strict Content Security Policy CSP that disallowed inline JavaScript. Memory corruption resulting in a potentially...

CVE-2016-4811

The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15.1 and earlier for Android and 1.13.0 and earlier for iOS allows man-in-the-middle attackers to obtain API access via unspecified vectors...

Design/Logic Flaw

The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15.1 and earlier for Android and 1.13.0 and earlier for iOS allows man-in-the-middle attackers to obtain API access via unspecified vectors...

CVE-2016-4811

The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15.1 and earlier for Android and 1.13.0 and earlier for iOS allows man-in-the-middle attackers to obtain API access via unspecified vectors...

Cybozu Garoon fails to restrict access permissions

Overview Cybozu Garoon is a groupware. Cybozu Garoon fails to restrict access permissions in the API to retrieve the Address Book information. Note that this vulnerability is different from JVN53542912. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through...

Newphoria Auction Camera Application Authentication Bypass Vulnerability

Newphoria Auction Camerafor for iOS and Android is a suite of online video preview and recording applications for iOS and Android platforms from Newphoria Japan. A security restriction bypass vulnerability exists in the Newphoria Auction Camera application. Allows an attacker to bypass URL...

Newphoria applican framework authentication bypass vulnerability

Newphoria applican framework for Android and iOS is a set of application development framework based on Android and iOS platforms from Newphoria, Japan. An authentication bypass vulnerability exists in Newphoria applican framework. This allows attackers to bypass the whitelist.xml URL whitelist...

Vulnerability in the Newphoria Reversi application

Newphoria Reversi for Android and iOS is a suite of Othello game apps based on the Android and iOS platforms from the Japanese company Newphoria. A security vulnerability exists in the Newphoria Reversi application. An attacker can exploit this vulnerability to bypass the URL whitelist protection...

Newphoria Koritore app has full vulnerability

Newphoria Koritore for Android and iOS is a set of Android and iOS based platforms from Newphoria Japan. A security vulnerability exists in versions of the Newphoria Koritore app for Android and iOS based platforms prior to version 1.1. An attacker can exploit the vulnerability to bypass the URL...

CVE-2015-5637

The Newphoria Photon application before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...

CVE-2015-5636

The Newphoria Reversi application before 1.0.3 for Android and before 1.2 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...

CVE-2015-5634

The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...

CVE-2015-5633

The Newphoria Auction Camera application for iOS and before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...

Design/Logic Flaw

The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...

Design/Logic Flaw

The Newphoria Auction Camera application for iOS and before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors...