CVE-2018-1833

IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507...

Gatecoin: API request signature can be reused with other parameters/data than the original in certain cases

If an attacker can intercept/see an API-request from a client who has a system-clock that is slightly ahead of the server time then the attacker can re-use the API request-signature towards the same URL but with a different payload. This can for some of the endpoint lead to serious vulnerabilitie...

Werewolf Online 0.8.8 - Information Disclosure

Exploit Title: Werewolf Online 0.8.8 - Insecure Logging Date: 2018-05-24 Software Link: https://play.google.com/store/apps/details?id=com.werewolfapps.online Download Link: https://apkpure.com/werewolf-online-unreleased/com.werewolfapps.online/download?from=details Exploit Author: ManhNho Version...

ZOHO ManageEngine ServiceDesk Plus Cross-Site Scripting Vulnerability

ZOHO ManageEngine ServiceDesk Plus SDP is the United States ZhuoHao ZOHO company's set of ITIL architecture based on IT service management software ITSM. The software integrates incident management, problem management, asset management, IT project management, procurement and contract management a...

Design/Logic Flaw

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

CVE-2015-8008

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

CVE-2015-8008

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

Stack overflow

The remote management interface on the Claymore Dual GPU miner 10.1 allows an unauthenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the request handler. This can be exploited via a long API request that is mishandled during logging...

CVE-2017-16930

The remote management interface on the Claymore Dual GPU miner 10.1 allows an unauthenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the request handler. This can be exploited via a long API request that is mishandled during logging...

CVE-2017-16930

The remote management interface on the Claymore Dual GPU miner 10.1 allows an unauthenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the request handler. This can be exploited via a long API request that is mishandled during logging...

CVE-2017-16930

Claymore's Dual ETH miner (GPU) remote management interface in version 10.1 is affected by an unauthenticated stack-based buffer overflow triggered by logging an overly long API request. The vulnerability arises from logging via sprintf into a fixed-size 0x4000-byte buffer, enabling potential rem...

Circle with Disney Token Routing Vulnerability(CVE-2017-12085)

Summary An exploitable routing vulnerability exists in the Circle with Disney cloud infrastructure. A specially crafted packet can make the Circle cloud route a packet to any arbitrary Circle device. An attacker needs network connectivity to the Internet to trigger this vulnerability. Tested...

Cisco IOS XE Software Web UI REST API Authentication Bypass Vulnerability

A vulnerability in the REST API of the web-based user interface web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication to the REST API of the web UI of the affected software. The vulnerability is due to insufficient input validation for the REST A...

PT-2021-5495 · Saltstack +3 · Saltstack Salt +3

Name of the Vulnerable Software and Affected Versions: SaltStack Salt versions prior to 3002.5 Description: The issue is related to errors in processing input data in the ssh client of the salt-api in SaltStack Salt. This can allow a remote attacker to execute arbitrary commands with elevated...

Uber: Uber is Flooding my Mobile with SMS Daily like a cron JOB

The Issue is with the design of sending SMS by the uber referrals system, and every day it's flodding my phone number with driver invitaion message To reproduce this scenario i have Fuzz the below request Through OWSAP Zap I fuzzed for 10,000 requests , keep the same Phone number I have used my...

CVE-2016-1387

The XML API in TelePresence Codec TC 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, and 7.3.5 and Collaboration Endpoint CE 8.0.0, 8.0.1, and 8.1.0 in Cisco TelePresence Software mishandles authentication, which allows remote attackers to execute control commands or make configuration changes v...

CVE-2016-1387

Cisco TelePresence TC (Codec) 7.2.x–7.3.x and CE (Collaboration Endpoint) 8.0.x–8.1.x are affected by an authentication bypass in the XML API due to improper authentication implementation. An unauthenticated, remote attacker can bypass XML API authentication and perform configuration changes or i...

Input validation

Incomplete blacklist vulnerability in the configisprivate function in configapi.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request...

Cross site request forgery (csrf)

IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Software Use Analysis 9 before 9.2.1.0 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information via a REST API request...

Udemy: Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.

Authenticated user can register for some course paid or free. After registering and taking couple of lectures "Rate course" functional becomes active. Malicious user can fill the rating form and submit it. By intercepting request to the server's API by using intercepting proxy tool and modify...