1270 matches found
CVE-2024-0368
The Hustle plugin for WordPress (wordpress-popup) versions up to and including 7.8.3 contains hardcoded HubSpot credentials in inc/providers/hubspot/hustle-hubspot-api.php (CLIENT_ID, CLIENT_SECRET, HAPIKEY). This root cause enables exposure of HubSpot API keys and potential access to PII via Hub...
PT-2024-15503 · WordPress · The Hustle – Email Marketing
Name of the Vulnerable Software and Affected Versions: The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to, and including, 7.8.3 Description: The issue allows unauthenticated attackers to extract sensitive data, including personally identifiable...
Secrets Sensei: Conquering Secrets Management Challenges
In the realm of cybersecurity, the stakes are sky-high, and at its core lies secrets management — the foundational pillar upon which your security infrastructure rests. We're all familiar with the routine: safeguarding those API keys, connection strings, and certificates is non-negotiable. Howeve...
Human vs. Non-Human Identity in SaaS
In today's rapidly evolving SaaS environment, the focus is on human users. This is one of the most compromised areas in SaaS security management and requires strict governance of user roles and permissions, monitoring of privileged users, their level of activity dormant, active, hyperactive, thei...
BIT-ELASTICSEARCH-2020-7009
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges...
BIT-ELASTICSEARCH-2020-7014
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication...
BIT-GHOST-2021-39192 Privilege escalation: all users can access Admin-level API keys
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users including contributors to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability...
BIT-ELASTICSEARCH-2021-37937 Elasticsearch privilege escalation
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account...
Design/Logic Flaw
discourse-microsoft-auth is a plugin that enables authentication via Microsoft. On sites with the discourse-microsoft-auth plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than...
CVE-2023-46241 Potential account take over due to unverified emails from Microsoft Identity Platform
discourse-microsoft-auth is a plugin that enables authentication via Microsoft. On sites with the discourse-microsoft-auth plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than...
Insecure Randomness
github.com/greenpau/go-authcrunch is vulnerable to Insecure Randomness. The vulnerability is caused due to using math/rand Golang library with a seed based on the Unix timestamp to generate strings for three security-critical contexts in the application. Attackers could use the potentially...
Use of Insufficiently Random Values in github.com/greenpau/caddy-security
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
GHSA-C7VF-M394-M4X4 Use of Insufficiently Random Values in github.com/greenpau/caddy-security
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
CVE-2024-21495
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
CVE-2024-21495
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
CVE-2024-21495
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
CVE-2024-21495
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...
CVE-2024-21495
The CVE-2024-21495 entry concerns the Go package github.com/greenpau/caddy-security (versions before 1.0.42). Root cause: insecure randomness used in multiple contexts (OAuth nonce, MFA secrets, API key generation) due to an insecure RNG library, enabling potential replay or predictability attack...
Weblate: Information Disclosure
A vulnerability allowed API keys to be exposed in a PyPI package...
Reddit: Infromation Disclosure To Use of Hard-coded Cryptographic Key
Vulnerability description not provided...