Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners. The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infinit...

CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are unaffected...

Q3-2022 API ThreatStats™ Report

The latest quarterly review and analysis of API vulnerabilities and exploits is in. Our initial take had us thinking it was smooth sailing for the state of API vulnerabilities in Q3—or was it just a lull in the storm? As it turns out, it’s neither. Read on to learn more about Wallarm’s analysis o...

Evolution of API Security – A Practical Guide to Addressing API Threats in 2023

The kind of API security scenarios we witnessed today were never like this from the beginning of time. It has gone to extra lengths to become responsive and productive as it’s now. How was it in the beginning? What changes has it faced? What more can we expect in the future? If this is what bothe...

8 KB is not enough: why WAFs can’t protect APIs

WAFs were a top-notch security instrument a decade ago, but now they are not. They fail to protect APIs. Meanwhile, the number of API-specific vulnerabilities grew more than twofold in 2022. According to a report by Wallarm, many such vulnerabilities have critical severity, and 33% are immediatel...

CVE-2022-38749 vulnerabilities

Vulnerabilities for packages: management-api-for-apache-cassandra-4.1, management-api-for-apache-cassandra-4.0, management-api-for-apache-cassandra-5.0...

API Vulnerabilities Jump Up 3.7x in Q2-2022

Since the beginning of 2022, the Wallarm security research team has been analyzing API vulnerabilities and exploits, and releasing quarterly reports. The Q1 report got a lot of attention and positive feedback from the cybersecurity community, as well as a few valuable ideas and suggestions. We...

CVE-2022-20812

Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. Note: Cisco...

CVE-2022-20807 Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device. For more information about...

CVE-2022-20754 Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the...

CVE-2022-21196 Airspan Networks Mimosa Improper Authorization

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An attacker may gain access to these API routes and achieve remo...

Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency

Threat actors are exploiting improperly-secured Google Cloud Platform GCP instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view cou...

Gitlab -- vulnerabilities

Gitlab reports: Stored XSS in merge request creation page Denial-of-service attack in Markdown parser Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown DNS Rebinding vulnerability in Gitea importer Exposure of trigger tokens on project exports Improper access control for...

7 Ways to Defend Mobile Apps, APIs from Cyberattacks

There are two essential elements driving progress in today’s digital-first economy: Mobile applications and the application programming interfaces APIs that allow those applications to communicate and exchange data with each other. The growth in these two technologies has exposed users and their...

Vulnerabilities fixed in VMware vRealize

VMware has fixed vulnerabilities in vRealize. A malicious person with access to the vRealize Operations Manager API could potentially exploit the vulnerabilities potentially exploit them to obtain sensitive data via accessing log files and arbitrary files, potentially possibly taking over a user...

OPENSUSE-SU-2021:1089-1 Security update for icinga2

This update for icinga2 fixes the following issues: icinga2 was updated to 2.12.5: Version 2.12.5 fixes two security vulnerabilities that may lead to privilege escalation for authenticated API users. Other improvements include several bugfixes related to downtimes, downtime notifications, and mor...

Application Layer is Still the Front Door for Data Breaches

By Terry Ray, SVP and Fellow, Imperva Each year, the number of data breaches grows by 30% while the number of records compromised increases by an average of 224%. 2021 is far from over, but we’re already on pace for another record-setting year. In fact, Imperva research finds that more records we...

CVE-2021-26965

A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform versions: Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacke...

CVE-2021-26966

A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform versions: Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacke...

CVE-2021-1248

Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager DCNM could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory...