147 matches found
Mitmweb API Authentication Bypass Using Proxy Server
Impact In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server bound to :8080 by default to access mitmweb's internal API bound to 127.0.0.1:8081 by default. In other words, while the client cannot access the API directly good, they can access the API through the proxy bad...
CVE-2025-23413
When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...
CVE-2025-23413
The CVE-2025-23413 vulnerability affects BIG-IP Next Central Manager. When users authenticate locally via webUI/API, sensitive data can be logged in pgaudit logs. Exploitation could allow an authenticated attacker with Administrator role to read undisclosed sensitive information through pgaudit. ...
CVE-2019-20360
A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information PII including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the...
Considerations for Selecting the Best API Authentication Option
Implementing API authentication is one of the most critical stages of API design and development. Properly implemented authentication protects data, user privacy, and other resources while streamlining compliance, preventing fraud, and establishing accountability. In fact, broken authentication i...
[SECURITY] Fedora 40 Update: perl-Net-OAuth-0.30-1.fc40
Perl implementation of OAuth, an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. In practical terms, a mechanism for a Consumer to request protected resources from a Service Provider on behalf of a user...
[SECURITY] Fedora 41 Update: perl-Net-OAuth-0.30-1.fc41
Perl implementation of OAuth, an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. In practical terms, a mechanism for a Consumer to request protected resources from a Service Provider on behalf of a user...
CVE-2024-13258 Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13...
CVE-2023-29117
CVE-2023-29117 affects Waybox Enel X, where the web management API authentication can be bypassed, granting administrator privileges on the Waybox system. The available connected documents confirm the vulnerability’s existence and describe the impact as administrator-level access via bypassing th...
CVE-2024-49755
Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...
Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...
Beyond Passwords: Advanced API Authentication Strategies for Enhanced Security
Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password...
Exploit for Use of Incorrectly-Resolved Name or Reference in Zohocorp Manageengine_Adselfservice_Plus
CVE-2021-40539 CVE-2021-40539: ADSelfService Plus RCE Vulner...
CVE-2024-24554
Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API...
CVE-2024-0681
The Page Restriction WordPress WP – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it...
CVE-2023-41314 Apache Doris: Missing API authentication allowed DoS
The api /api/snapshot and /api/getlogfile would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues...
CVE-2023-41314 Apache Doris: Missing API authentication allowed DoS
The api /api/snapshot and /api/getlogfile would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues...
CVE-2023-6595
CVE-2023-6595 affects Progress WhatsUp Gold versions released before 2023.1. The issue is an API endpoint that lacks authentication, allowing an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. Red Hat and Nessus/NASL reports corroborate the core ...
Cisco Unified Communications Manager IM & Presence DoS (cisco-sa-cucm-apidos-PGsDcdNF)
According to its self-reported version, Cisco Unified Communications Manager IM & Presence running on the remote host is affected by a denial of service DoS vulnerability. Due to improper API authentication and incomplete verification of the API request, an unauthenticated, remote attacker can se...
Cisco Unified Communications Manager DoS (cisco-sa-cucm-apidos-PGsDcdNF)
According to its self-reported version, Cisco Unified Communications Manager running on the remote host is affected by a denial of service DoS vulnerability. Due to improper API authentication and incomplete verification of the API request, an unauthenticated, remote attacker can send a specially...