SolarWinds Orion API authentication bypass allows remote command execution

Overview The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands. Description The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the...

Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS

Exploit Title: Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS Date: 11/12/2020 Exploit Author: gx1 Vendor Homepage: https://www.jenkins.io/ Software Link: https://updates.jenkins-ci.org/download/war/ Version: '. To understand how remote build trigger works, have a look at this post:...

CVE-2020-13927

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...

CVE-2020-13927

The previous default setting for Airflow’s Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...

API Discovery and Profiling -- Visibility to Protection

APIs have become a dominant mechanism in the modern web, allowing organizations to create powerful web and mobile experiences, while exposing back-end data and logic to create new and innovative offerings. Protecting internet-facing APIs -- an emerging practice over the past few years -- is the...

Cross site request forgery (csrf)

The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request...

340 weak JWT secrets you should check in your code

JSON Web Token JWT is the data format with bill-in signature and encryption mechanisms that are often used by modern web applications to store user sessions and application context, including authentication by SSO and meta-data. Usually, you can find JWT tokens in an Authentication Bearer HTTP...

CVE-2020-10807

authsvc in Caldera before 2.6.5 allows authentication bypass for REST API requests via a forged "localhost" string in the HTTP Host header...

Authentication flaw

A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information PII including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the...

CVE-2013-4859

INSTEON Hub 2242-222 lacks Web and API authentication...

CVE-2013-4859

INSTEON Hub 2242-222 lacks Web and API authentication...

CVE-2013-4859

The CVE-2013-4859 entry refers to INSTEON Hub 2242-222 that suffers a lack of Web and API authentication. The vulnerability targets the Hub’s web/API interfaces, enabling unauthorized access when the device is exposed to the Internet (e.g., via port forwarding). The base information indicates a h...

WordPress GiveWp plugin <= 2.5.4 - Authentication Bypass

The weakness allows unauthenticated users to bypass API authentication methods and potentially access personally identifiable user information PII like names, addresses, IP addresses, and email addresses. Solution Update the plugin to the latest version...

Cisco Releases Security Updates

Cisco has released security updates to address vulnerabilities in Cisco Integrated Management Controller IMC Supervisor, Unified Computing System UCS Director, and UCS Director Express for Big Data. A remote attacker could exploit these vulnerabilities to take control of an affected system. The...

Rocket.Chat: Upload of Avatars for other Users

The vulnerability allowed unprivileged users to upload avatar pictures on behalf of other users. The effect of the exploit depended on the storage backend, with the default GridFS being affected. The vulnerability was found in the Rocket.Chat development version at commit 5f0180dc...

CVE-2018-11048

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance IDPA versions 2.0, 2.1 contain a XML External Entity XXE Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to...

Radancy: Ability To Takeover any account by Emaill.

Hi Team, I've found that your api api.werkenbijdefensie.nl for your mijn defensie Application do not authenticate Facebook users' probably. Your application doesn't check the Facebook authentication token at all, which makes any attacker able to takeover any account just by using any valid user's...

Facebook Threat Exchange

Facebook Threat Exchange Most threat intelligence solutions suffer because the data is too hard to standardize and verify. Facebook created the ThreatExchange platform so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides priva...

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...

Why your API is not a security-vulnerability warning-the black bar safety net

0×0 0 background description Some time ago I to Spree Commerce company reported its API path exists JSONP+CSRF vulnerability issues. Similarly, the Instagram API the presence of CSRF vulnerabilities. Disqus, a Stripe and Shopify API via JSONP leakage of privacy information. All this the root of t...