304 matches found
Design/Logic Flaw
yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version 1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify A...
CVE-2024-28193 Disclosure of Spotify API Access Tokens to Guest Users Using Public Tokens in your_spotify
yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version 1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify A...
CVE-2023-6289
The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens...
Information disclosure
The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens...
CVE-2023-6289
CVE-2023-6289 affects the WordPress plugin Swift Performance Lite up to version 2.3.6.14. Root cause: missing authorization check on an admin-ajax exported function (luv-action export) via admin_init, allowing unauthenticated retrieval of plugin settings that may include Cloudflare API tokens. Im...
WordPress Plugin Swift Performance Lite Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
CVE-2023-39349 Sentry vulnerable to privilege escalation via ApiTokensEndpoint
Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use...
PT-2023-15694 · Checkmk · Checkmk
Name of the Vulnerable Software and Affected Versions: Checkmk versions 2.0.0p1 through 2.0.0p28 Checkmk versions 2.1.0p1 through 2.1.0p10 Description: The issue arises from the insecure termination of expired sessions in the RestAPI, allowing an attacker to utilize expired session tokens for...
CircleCI Urges Customers to Rotate Secrets Following Security Incident
DevOps platform CircleCI on Wednesday urged its customers to rotate all their secrets following an unspecified security incident. The company said an investigation is currently ongoing, but emphasized that "there are no unauthorized actors active in our systems." Additional details are expected t...
Cloudflare Public Bug Bounty: Bypassing creation of API tokens without email verification
API tokens could be created without email verification on Cloudflare. If an email-verified account changed their email address without verifying the new email, previously created API tokens remained valid. This vulnerability was addressed by requiring verification before completing the email chan...
ZeroBounce: API tokens and Emails leaked lead to sensitive information Disclosure
Summary: "Salam alikoum " Hi team i hope you are well t is a pleasure to work in your program. I will begin to present the vulnerability that I found it: Information Disclosure via ?email parameter and ?apikey Steps To Reproduce: 1. waybackurls zerobounce.net | grep gmail Response :...
HTML injection possible via LLDP
Description An unmanaged/foreign neighbouring device that is advertising its presence with LLDP can inject malicious HTML code into LibreNMS by setting its System Name TLV to whatever snippet is to be injected. This is assuming that a device that is managed by LibreNMS has LLDP and the...
grafana: Forward OAuth Identity Token can allow users to access some data sources
An information-disclosure flaw was found in grafana. When a data source has the Forward OAuth Identity feature enabled, sending a query to that data source with an API token and no other user credentials will forward the OAuth Identity of the most recently logged-in user. This flaw allows API tok...
The vulnerability of Kubernets Rancher cluster management software lies in the storage of passwords in an unencrypted form, allowing attackers to gain access to user credentials, passwords, and API tokens.
The vulnerability of Kubernets Rancher cluster management software is related to the storage of passwords in an unencrypted form. Exploiting this vulnerability can allow a remote attacker to gain access to credentials, passwords, and API tokens...
Information Disclosure
github.com/rancher/rancher is vulnerable to information disclosure. The vulnerability exists because of the lack of sanitization in credentials in cluster template answers of clusterstore.go, leading to plaintext storage and exposure of credentials, passwords and API tokens...
Design/Logic Flaw
A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE...
CVE-2021-36783 Rancher: Failure to properly sanitize credentials in cluster template answers
A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE...
GHSA-3P8R-P4Q5-MC44 Violation Comments to GitLab Plugin has Insufficiently Protected Credentials
Violation Comments to GitLab Plugin stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, o...
Violation Comments to GitLab Plugin has Insufficiently Protected Credentials
Violation Comments to GitLab Plugin stored API tokens unencrypted in job config.xml files and its global configuration file org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, o...
GHSA-VXC6-WVH8-FPXW Jenkins does not invalidate the API token when a user is deleted
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...