1270 matches found
CVE-2021-39192
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability...
Privilege escalation
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability...
CVE-2021-39192 Privilege escalation: all users can access Admin-level API keys
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability...
CVE-2021-39192
Ghost CMS contains a privilege-escalation flaw in the limits service from versions 4.0.0–4.9.4 that lets all authenticated users (including contributors) view admin-level API keys via the Integrations API endpoint. The issue is fixed in Ghost 4.10.0. As a workaround, disable all non-Administrator...
Keyhacks - A Repository Which Shows Quick Ways In Which API Keys Leaked By A Bug Bounty Program Can Be Checked To See If They'Re Valid
KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can be used, to check if they are valid. @Gwen001 has scripted the entire process available here and it can be found here Table of Contents ABTasty API Key Algolia API key Amplitude API Keys Asana Access token AWS Acce...
Researchers Detail Modus Operandi of ShinyHunters Cyber Crime Group
ShinyHunters, a notorious cybercriminal underground group that's been on a data breach spree since last year, has been observed searching companies' GitHub repository source code for vulnerabilities that can be abused to stage larger scale attacks, an analysis of the hackers' modus operandi has...
Sigurlfind3R - A Reconnaissance Tool, It Fetches URLs From AlienVault's OTX, Common Crawl, URLScan, Github And The Wayback Machine
sigurlfind3r is a passive reconnaissance tool, it fetches known URLs from AlienVault's OTX , Common Crawl , URLScan , Github and the Wayback Machine. DiSCLAIMER: fetching urls from github is a bit slow. Usage sigurlfind3r -h This will display help for the tool. | |/ | | / / | |/ | | | | '| | || |...
Elastic Stack 7.14.0 Security Update
Elasticsearch Document/Field Level Security issue ESA-2021-18 A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. Affected...
PT-2021-4651 · Elastic · Enterprise Search App Search
Name of the Vulnerable Software and Affected Versions: Elastic Enterprise Search App Search versions prior to 7.14.0 Description: The issue is related to missing authorization for API keys via an alternate route. An authenticated attacker could exploit this to utilize API keys belonging to higher...
Stripo Inc: Insecure Storage and Overly Permissive API Keys
Summary: I am surfing on the stripo.email website. I found a sensitive data including authentication key/secrettoken written in public accessible subdo. We found a aviaryApiKeyand other secretkey exposed in staging.empleio.stripo.email. Risk Factors: Most often Developers for their ease of...
CVE-2021-32790
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors already having admin access, or API keys to the WooCommerce site can exploit vulnerable...
Sql injection
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors already having admin access, or API keys to the WooCommerce site can exploit vulnerable...
Privilege Escalation
ghost is vulnerable to privilege escalation. Any user is able to access Admin-level API keys and gain access to secured functions...
Privilege escalation: all users can access Admin-level API keys
Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. GhostPro has already been patched. Self-hosters are impacted ...
GHSA-J5C2-HM46-WP5C Privilege escalation: all users can access Admin-level API keys
Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. GhostPro has already been patched. Self-hosters are impacted ...
Cariddi - Take A List Of Domains, Crawl Urls And Scan For Endpoints, Secrets, Api Keys, File Extensions, Tokens And More...
Take a list of domains, crawl urls andscan for endpoints, secrets, api keys, file extensions, tokens and more... Preview Installation You need Go. Linux git clone https://github.com/edoardottt/cariddi.git cd cariddi go get make linux to install make unlinux to uninstall Or in one line: git clone...
CVE-2021-33220
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...
Hardcoded credentials
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...
CVE-2021-33220
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist...
CVE-2021-33220
CVE-2021-33220 affects CommScope Ruckus IoT Controller, version 1.7.1.0 and earlier. The vulnerability stems from hard-coded API keys embedded in the OVA image and web application code, which can be exposed when the filesystem is mounted. Reported impact includes exposure of API keys that can be ...