CVE-2022-23497 Insecure file access in FreshRSS

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords brypt with cost 9, salted of FreshRSS Web interface. If the API is used, the configuration might contain a...

Automattic: IDOR in API applications (able to see any API token, leads to account takeover)

Summary: Hi, @ehtis, thank you for the test account. Here is a critical report. : On Pressable, we can create API applications at https://my.pressable.com/api/applications, and we can access many things using the API token via following the API docs I created an API application and tried to updat...

CVE-2022-1766

Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials SBOM generated by anchorectl. Users of anchorectl version 0.1.4 shoul...

CVE-2022-23720

PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID...

Code injection

PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID...

Misconfigured Firebase Databases Exposing Data in Mobile Apps

Thousands of mobile apps – some of which have been downloaded tens of millions of times – are exposing sensitive data from open cloud-based databases due to misconfigured cloud implementations, new research from Check Point has found. Check Point Research CPR found that in three months’ time, 2,1...

CVE-2021-39342

The CVE-2021-39342 entry corresponds to the WordPress Credova_Financial plugin (versions up to and including 1.4.8) exposing the site’s Credova API account username and password in plaintext via an AJAX action during checkout when the Credova Financing option is enabled. Affected component is the...

Sensitive Data Exposure in miniorange_saml

The miniorangesaml aka Miniorange Saml extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys...

GHSA-G485-29GQ-6H2H Sensitive Data Exposure in miniorange_saml

The miniorangesaml aka Miniorange Saml extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys...

CVE-2021-36786

The miniorangesaml aka Miniorange Saml extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys...

Command injection

The miniorangesaml aka Miniorange Saml extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys...

CVE-2021-36786

CVE-2021-36786 concerns the miniorange_saml (Miniorange Saml) extension for TYPO3, prior to version 1.4.3. The issue is an information disclosure vulnerability that allows exposure of API credentials and private keys due to inadequate handling/encoding, as described in multiple connected sources ...

CVE-2021-36786

The miniorangesaml aka Miniorange Saml extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys...

Multiple vulnerabilities in Extension "Miniorange Saml" (miniorange_saml)

The extension fails to properly encode user input for output in HTML context CVE-2021-36785. Also the extension contains sensitive data API credentials and private key which should not have been published CVE-2021-36786. Finally the extension bundles several 3rd Party Components jQuery and...

CVE-2020-11923

An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged...

Design/Logic Flaw

An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged...

CVE-2020-11923

Product/Version affected: WiZ Colors A60 1.14.0. Vulnerability: API credentials are logged locally, which can expose sensitive information. Root cause (as stated): Credentials end up in local logs. Impact (as stated): Potential exposure of API credentials due to local logging (no details on explo...

CVE-2020-11923

An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged...

Wordpress ActiveCampaign Cross-Site Request Forgery Vulnerability

Wordpress ActiveCampaign is Wordpress open source an application plugin . The WordPress ActiveCampaign plugin, versions before 8.0.2 suffers from a cross-site request forgery vulnerability that stems from a lack of CSRF checks, which can be exploited by an attacker to exploit an account's API...

CVE-2021-24133

Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account...