28 matches found
PT-2024-13214 · Octopus Deploy +1 · Octopus Server
Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: The issue allows an API key to be logged in clear text in the audit log file after an invalid login attempt. Recommendations: At the moment, there is no information about a newer version...
WP Spell Check < 9.18 - Cross-Site Request Forgery
Description The WP Spell Check plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.17. This is due to missing or incorrect nonce validation on the wpscxadminemptyrender function. This makes it possible for unauthenticated attackers to update an...
JVN#64453490: Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service
Android App "Wolt Delivery: Food and more" provided by Wolt uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved via reverse-engineering the application binary. Note that the application users are not directly affected by this vulnerability...
CVE-2022-43887 IBM Cognos Analytics information disclosure
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450...
PT-2022-17478 · Unknown · Octopus Server
Name of the Vulnerable Software and Affected Versions: Octopus Server affected versions not specified Description: The issue concerns Octopus Server versions where access is managed by an external authentication provider. In these versions, it was possible for the API key/keys of a disabled or...
Hardcoded credentials
Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app...
Use of a Broken or Risky Cryptographic Algorithm in emoncms/emoncms
✍️ Description The function mtrand is used to generate verification keys, API keys both read & write, and even hash salts, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this functio...
WakaTime: Session Duplication due to Broken Access Control
Due to improper validation of user before generating an API-KEY and improper measures taken at the time of password reset, it is possible to generate a parallel session at the attacker's end. Proof of concept video is attached to confirm the vulnerability and to demonstrate the Impact of this...