1998 matches found
Venmo's Public Transactions Policy Stirs Privacy Concerns
Your simple $5 Venmo payment to a friend after splitting a pizza could easily expedite various malicious attacks, from stalking to spear-phishing, according to researcher concerns. Many have weighed in on Venmo’s privacy practices, but the latest are Mozilla Foundation and the Electronic Frontier...
User enumeration through the groupuserpicker api resource - CVE-2019-8449
h3. Issue summary The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability. h3. Workaround If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in...
Denial Of Service (DoS)
grpc-ts-health-check is vulnerable to denial of service DoS. The vulnerability exists as it exposes an API endpoint that may allow attackers to set the service's health status to failing...
Denial of Service
Overview Versions of grpc-ts-health-check prior to 2.0.0 are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing...
Medium: docker
Issue Overview: A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use TOCTOU vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause...
Security Camera Firm Arlo Zaps High-Severity Bugs
Two high-severity vulnerabilities in Arlo Technologies’ wireless home security camera gear have been patched. The flaws, which indirectly impact Arlo’s popular fleet of wireless home security cameras, are limited to adversaries with local network and physical access to Arlo Base Stations. Both...
SUSE-SU-2019:1220-2 Security update for cf-cli
This update for cf-cli fixes the following issues: cf-cli was updated: to version 6.43.0 bsc1132242 Enhancements : - cf curl supports a new --fail flag primarily for scripting purposes which returns exit code 22 for server errors story - Improves cf delete-orphaned-routes such that it uses a...
UBUNTU-CVE-2018-18839
DISPUTED An issue was discovered in Netdata 1.10.0. Full Path Disclosure FPD exists via api/v1/alarms. NOTE: the vendor says "is intentional."...
Command Injection
Overview All versions of soletta-dev-app are vulnerable to Command Injection. The package does not validate user input on the /api/service/status API endpoint, passing contents of the service query parameter to an exec call. This may allow attackers to run arbitrary commands in the system...
Command Injection
Overview Versions of addax prior to 1.1.0 are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary...
CVE-2018-15664
A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use TOCTOU vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on t...
Flickr: Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key
Researcher identified API endpoint that was not doing sufficient permission validation...
Connected camera cock up
I haven’t touched adult toy security for over a year now, mostly because we kept finding the same stuff over and over again. Besides, @internetofdongs has been doing some great work in this space, so it seemed pointless to duplicate his efforts. However, this morning, @dcuthbert tweeted us this: ...
CVE-2018-15656
An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specifie...
PT-2019-16767 · Labkey · Labkey Server Community Edition
Name of the Vulnerable Software and Affected Versions: LabKey Server Community Edition versions prior to 18.3.0-61806.763 Description: The issue is related to an open redirect vulnerability. It affects the / r1/ API endpoint, specifically the returnURL parameter, allowing an unauthenticated remot...
PT-2018-15155 · Razorcms · Razorcms
Name of the Vulnerable Software and Affected Versions: razorCMS version 3.4.8 Description: The issue is related to HTML injection in the software. It can be exploited via the "//page" API endpoint, specifically through the keywords parameter. Recommendations: For razorCMS version 3.4.8, consider...
GHSA-P69G-F978-XXV9 Cross-Site Request Forgery (CSRF) in Luigi
Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery CSRF vulnerability in API endpoint: /api/ that can result in Task metadata such as task name, id, parameter, etc. will be leake...
CVE-2018-1000843
Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery CSRF vulnerability in API endpoint: /api/ that can result in Task metadata such as task name, id, parameter, etc. will be leake...
Cross site request forgery (csrf)
Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery CSRF vulnerability in API endpoint: /api/ that can result in Task metadata such as task name, id, parameter, etc. will be leake...
Cross site request forgery (csrf)
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle MiTM attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access,...