CVE-2017-8307

In Avast Antivirus before v17, using the LPC interface API exposed by the AvastSVC.exe Windows service, it is possible to launch predefined binaries, or replace or delete arbitrary files. This vulnerability is exploitable by any unprivileged user when Avast Self-Defense is disabled. It is also...

Authentication flaw

Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use...

CVE-2016-1219

CVE-2016-1219 : In Cybozu Garoon, versions prior to 4.2.2 expose an authentication bypass vulnerability related to API usage that lets remote attackers bypass login authentication. The main affected product is Cybozu Garoon (versions up to 4.2.1). The reported impact is remote authentication bypa...

Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution Exploit

Exploit for php platform in category web applications This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'AlienVault USM/OSSIM API Command Execution', 'Description' = %q This modu...

Alienvault OSSIM/USM 5.3.4/5.3.5 - Remote Command Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'AlienVault USM/OSSIM API Command Execution', 'Description' = %q This module exploits an unauthenticated command injection in...

WordPress 4.7.1 - Username Enumeration

WordPress 4.7.1 - Username Enumeration !usr/bin/php...

W3C High Resolution Time API AnC Attack Vulnerability

The W3C High Resolution Time API is a set of JavaScript interfaces for providing web applications with a sub-millisecond resolution of the current time format. A security vulnerability exists in the W3C High Resolution Time API. The vulnerability can be exploited by an attacker with specially...

The vulnerability of the Android operating system, which allows a perpetrator to compromise the confidentiality of information

The vulnerability of the Android operating system’s Framework API is related to lack of access control. Exploiting this vulnerability can allow a malicious actor to compromise the confidentiality of sensitive information...

CVE-2016-6770

An elevation of privilege vulnerability in the Framework API could enable a local malicious application to access system functions beyond its access level. This issue is rated as Moderate because it is a local bypass of restrictions on a constrained process. Product: Android. Versions: 4.4.4,...

Shopify: CSRF in all API endpoints when authenticated using HTTP Authentication

Description: Short: I have found a CSRF vulnerability in all API endpoints /admin/anyapiendpoint/ if the current user has authenticated using HTTP authentication. Details: When a user generates API credentials for a private application in his shop he will be given API key and password that he can...

Keybase: Denial of Service through set_preference.json

Hey there, When selecting an image at https://keybase.io//api/1.0/image/setpreference.json, passing an invalid value in identitysrc knocks the server down for 20-30 seconds, with just one request. I have verified this by visiting an external website that checks if a website is down. POC: 1. Conne...

CVE-2016-5390

CVE-2016-5390 affects Foreman before 1.11.4 and 1.12.x before 1.12.1. The issue allows remote authenticated users with the view_hosts permission to exploit an information-disclosure flaw via API routes under hosts (e.g., api/v2/hosts/secrethost/interfaces) to obtain sensitive network interface in...

Docebo LMS 6.9 - (Moxie) API Calls RST RCE Vulnerability

Document Title: =============== Docebo LMS 6.9 - Moxie API Calls RST RCE Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1888 Video: http://www.vulnerability-lab.com/getcontent.php?id=1892 Release Date: ============= 2016-08-02 Vulnerabilit...

OLX: SQLi in Payment Request

Hi there, I have found out that one request in your API is vulnerable to SQL injection. PoC: Invalid Request: GET /api/v1.0/payments/items?ids=891048367'"&platform=desktop HTTP/1.1 Host: www.olx.com.ar User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:46.0 Gecko/20100101 Firefox/46.0 Accept:...

Vulnerability of Adobe Reader software, which allows a malicious individual to compromise the confidentiality, integrity, and accessibility of protected information

The vulnerability exists in the Adobe Reader API due to the access to unmaped memory. Exploiting this vulnerability allows attackers to execute arbitrary code by using API calls...

openstack-ironic: Ironic Node information including credentials exposed to unauthenticated users

An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew or was able to...

Cisco Application Policy Infrastructure Controller Enterprise Module Security Bypass Vulnerability

The Cisco Application Policy Infrastructure Controller Enterprise Module is a suite of applications that provide policy-based use for automated configuration of end-to-end infrastructure controllers. A security bypass vulnerability exists in the API of the Cisco Application Policy Infrastructure...

Cisco Prime Infrastructure Privilege Escalation API Vulnerability (cisco-sa-20160406-privauth)

A vulnerability in the web application programming interface API of Cisco Prime Infrastructure could allow an authenticated, remote attacker to gain elevated privileges. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyrigh...

Troy Hunt Explains Nissan Leaf Car Hack

Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. “After talking about the...

Mattel Fisher-Price Smart Toy Bear API Information Disclosure Vulnerability

The Mattel Fisher-Price Smart Toy Bear is a WiFi connected Internet of Things IOT smart toy bear. A security vulnerability in the API on the Mattel Fisher-Price Smart Toy Bear device allows remote attackers to exploit the vulnerability by submitting a special request to obtain sensitive informati...