Design/Logic Flaw

In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users...

Denial Of Service (DoS)

github.com/kubernetes-csi/external-snapshotter is vulnerable to denial of service. A NULL pointer dereference in the snapshot-controller allows an attacker to crash the application via authorized API requests...

CVE-2020-26078

A vulnerability in the file system of Cisco IoT Field Network Director FND could allow an authenticated, remote attacker to overwrite files on an affected system. The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API request...

Cisco IoT Field Network Director File Overwrite Vulnerability

A vulnerability in the file system of Cisco IoT Field Network Director FND could allow an authenticated, remote attacker to overwrite files on an affected system. The vulnerability is due to insufficient file system protections. An attacker could exploit this vulnerability by crafting API request...

CVE-2020-25688

A flaw was found in rhacm. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository which resulted in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key...

Trident - Automated Password Spraying Tool

The Trident project is an automated password spraying tool developed to meet the following requirements: the ability to be deployed on several cloud platforms/execution providers the ability to schedule spraying campaigns in accordance with a target’s account lockout policy the ability to increas...

Twitter Warns Developers of API Bug That Exposed App Keys, Tokens

Twitter developers are being warned of a security bug that may have exposed their applications’ credential information – including sensitive application keys and access tokens. The issue stemmed from a caching issue in developer.twitter.com. When developers visited this website, it temporarily...

CVE-2020-3542

A vulnerability in Cisco Webex Training could allow an authenticated, remote attacker to join a password-protected meeting without providing the meeting password. The vulnerability is due to improper validation of input to API requests that are a part of meeting join flow. An attacker could explo...

Input validation

A vulnerability in Cisco Webex Training could allow an authenticated, remote attacker to join a password-protected meeting without providing the meeting password. The vulnerability is due to improper validation of input to API requests that are a part of meeting join flow. An attacker could explo...

CVE-2020-3542 Cisco Webex Training Unauthorized Meeting Join Vulnerability

A vulnerability in Cisco Webex Training could allow an authenticated, remote attacker to join a password-protected meeting without providing the meeting password. The vulnerability is due to improper validation of input to API requests that are a part of meeting join flow. An attacker could explo...

Information Disclosure

loopback is vulnerable to information disclosure. Invalid API requests to the login endpoint may return information about the first user in the database...

Sensitive Data Exposure in loopback

Versions of loopback prior to 3.26.0 3.x and 2.42.0 2.x are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. Recommendation If you're using...

Cisco Webex Training Unauthorized Meeting Join Vulnerability

A vulnerability in Cisco Webex Training could allow an authenticated, remote attacker to join a password-protected meeting without providing the meeting password. The vulnerability is due to improper validation of input to API requests that are a part of meeting join flow. An attacker could explo...

CVE-2020-14325

A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request. Mitigation Red Hat recommends upgrading to secured released versions, however, this flaw can be...

CVE-2019-16252

Missing SSL Certificate Validation in the Nutfind.com application through 3.9.12 for Android allows a man-in-the-middle attacker to sniff and manipulate all API requests, including login credentials and location data...

Design/Logic Flaw

Missing SSL Certificate Validation in the Nutfind.com application through 3.9.12 for Android allows a man-in-the-middle attacker to sniff and manipulate all API requests, including login credentials and location data...

CVE-2019-16252

Missing SSL Certificate Validation in the Nutfind.com application through 3.9.12 for Android allows a man-in-the-middle attacker to sniff and manipulate all API requests, including login credentials and location data...

CVE-2020-8791

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...

CVE-2020-8791

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...

Insecure Direct Object Reference

Rundeck is vulnerable to insecure direct object reference. Due to lack of checking appropriate authorization level for API requests, a user can send a malicious API request to perform an unauthorized disclosure of execution data, logs and Job details at various threat level depending on the usage...