CVE-2023-28640

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

Design/Logic Flaw

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key

Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...

CVE-2023-28640

Summary: CVE-2023-28640 affects Apiman. A missing permissions check allowed an authenticated Apiman Manager user to access API keys they should not Permissions by guessing a URL that includes Organisation ID, Client ID, and Client Version. This is not trivial but possible via brute-forcing or gue...

Zero-day spells disaster for Bitcoin ATM

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency...

Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload...

Cross site request forgery (csrf)

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in users//logapi.txt in the case where the authentication fails. The issues occurs in authorizationToUser in greader.php. If there is an issue with the request or the credentials,...

CVE-2023-22481

CVE-2023-22481 affects FreshRSS with its greader API. The failure paths unauthorized()/badRequest() print debugInfo(), which returns the request content, causing passwords or API keys to be logged in clear in users/_/log_api.txt (and optionally syslog if COPY_LOG_TO_SYSLOG is true). Exploitation ...

CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in users//logapi.txt in the case where the authentication fails. The issues occurs in authorizationToUser in greader.php. If there is an issue with the request or the credentials,...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

Design/Logic Flaw

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

CVE-2023-26468

Cerebrate 1.12 does not properly consider organisationid during creation of API keys...

SUSE CVE-2019-7628

Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in...

SUSE CVE-2020-7009

Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges...

SUSE CVE-2020-7014

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory. - Grafana is an open source observability and data visualization platform. Versions prior to 9.1...

Design/Logic Flaw

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

CVE-2023-25164 Sensitive Information leak via Script File in TinaCMS

Tinacms is a Git-backed headless content management system with support for visual editing. Sites being built with @tinacms/cli = 1.0.0 && 1.0.9 which store sensitive values in the process.env variable are impacted. These values will be added in plaintext to the index.js file. If you're on a...

CVE-2023-23132

Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys...