CVE-2018-17499

CVE-2018-17499 affects Envoy Passport for Android and Envoy Passport for iPhone. Connected CNVD-2019-08356 confirms an information-disclosure vulnerability caused by storing unencrypted data in logs, enabling a local attacker to access sensitive information such as two API keys and a token. Affec...

Hostintel - A Modular Python Application To Collect Intelligence For Malicious Hosts

This tool is used to collect various intelligence sources for hosts. Hostintel is written in a modular fashion so new intelligence sources can be easily added. Hosts are identified by FQDN host name, Domain, or IP address. This tool only supports IPv4 at the moment. The output is in CSV format an...

Caldera Forms Pro <= 1.8.1 - Unauthenticated Arbitrary File Read

According to the vendor: "This update includes an important SECURITY fix that affects some Pro customers. If you do not have Caldera Forms Pro API keys activated, this issue does not affect you." According to the original researchers: "The Caldera Forms Pro vulnerability would allow attackers to...

CVE-2019-7628

Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in...

CVE-2019-7628

Pagure 5.2 leaks API keys by emailing them to users due to a TLS-trusting CS mail path and insecure API token expiration reminder cron job in files/api_key_expire_mail.py. The issue enables MITM reading of emails and potential account compromise, with the root cause identified as the API key expi...

CVE-2019-7628

Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in...

Cisco AMP Threat Grid Cloud and AMP Threat Grid Appliance software trust management issue vulnerability

Cisco AMP Threat Grid Cloud and AMP Threat Grid Appliance software are both products of Cisco, Inc. The Cisco AMP Threat Grid Cloud is a cloud-based malware and threat intelligence analysis solution. Grid Appliance software is an on-device malware analysis solution. Cisco AMP Threat Grid Cloud an...

Fighting Fire with Fire: API Automation Risks

Akamai research shows that 83 percent of all traffic on the web today are API calls JSON / XML. In many cases this fast growth can be attributed to the adoption and popularity of mobile devices and the mobile app ecosystem, as well as the abuse by threat actors using bots to automate their manual...

CVE-2019-1657

A vulnerability in Cisco AMP Threat Grid could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to unsafe creation of API keys. An attacker could exploit this vulnerability by using insecure credentials to gain unauthorized access to the affected...

Design/Logic Flaw

A vulnerability in Cisco AMP Threat Grid could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to unsafe creation of API keys. An attacker could exploit this vulnerability by using insecure credentials to gain unauthorized access to the affected...

VOIPO Database Exposes Millions of Texts, Call Logs

UPDATE An improperly secured database owned by a California voice-over-internet provider left millions of customer call logs, SMS message logs and credentials in plain text open for months for the taking. The database belongs to VOIPO, which provides mobile services for consumers and commercial...

Recurly vulnerable to SSRF

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the Resource.get method that could result in compromise of API keys or other critical resources...

GHSA-38RV-5JQC-M2CV Recurly vulnerable to SSRF

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the Resource.get method that could result in compromise of API keys or other critical resources...

theHarvester v3.0.3 - E-mails, Subdomains And Names Harvester (OSINT)

theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources search engines, pgp key servers. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the...

TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework

TIDoS Framework is a comprehensive web-app audit framework. let's keep this simple Highlights :- The main highlights of this framework is: TIDoS Framework now boasts of a century+ of modules. A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis. Has ...

CloudBunny - A Tool To Capture The Real IP Of The Server That Uses A WAF As A Proxy Or Protection

CloudBunny is a tool to capture the real IP of the server that uses a WAF as a proxy or protection. How works In this tool we used three search engines to search domain information: Shodan, Censys and Zoomeye. To use the tools you need the API Keys, you can pick up the following links: Shodan -...

X (Formerly Twitter): Incorrect details on OAuth permissions screen allows DMs to be read without permission

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The OAuth screen can be tricke...

Critical severity vulnerability that affects recurly-api-client

The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of "Uri.EscapeUriString" that could result in compromise of API keys or other critical resources...

GHSA-XPWP-RQ3X-X6V7 Critical severity vulnerability that affects recurly-api-client

The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of "Uri.EscapeUriString" that could result in compromise of API keys or other critical resources...

Hardcoded credentials

The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services...