Troy Hunt Explains Nissan Leaf Car Hack

Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. “After talking about the...

Mattel Fisher-Price Smart Toy Bear API Information Disclosure Vulnerability

The Mattel Fisher-Price Smart Toy Bear is a WiFi connected Internet of Things IOT smart toy bear. A security vulnerability in the API on the Mattel Fisher-Price Smart Toy Bear device allows remote attackers to exploit the vulnerability by submitting a special request to obtain sensitive informati...

CVE-2015-8269

The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number...

CVE-2015-5049

SQL injection vulnerability in the API in IBM OpenPages GRC Platform 7.0 before 7.0.0.4 IF3 and 7.1 before 7.1.0.1 IF6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...

Updated blueman packages fix security vulnerability

Privilege escalation vulnerability in blueman before 2.0.3 in the dbus API CVE-2015-8612...

CVE-2015-6852

Directory traversal vulnerability in the API in EMC Secure Remote Services Virtual Edition 3.x before 3.10 allows remote authenticated users to read log files via a crafted parameter...

langprism.com vulnerability

Vulnerable URL: http://langprism.com/api/http/getpage?url=https://www.xssposed.org/=ru Details: Description| Value ---|--- Patched:| Yes, at 21.12.2015 Latest check for patch:| 21.12.2015 16:08 GMT Vulnerability status:| Publicly disclosed Alexa Rank| 1899388 Google Pagerank| 3 VIP website status...

Shopify: create staff member without owner access

Hi as you mentioned in 56726 "Only the the store owner is allowed to create new staff members" admins can't create new staff members! but with this vulnerability admins can use api to create user! steps: - get access token for one full access admin you can send request to xauth or sniff it from...

REST API Vulnerability in Multiple F5 BIG-IQ Products

The BIG-IQ Cloud Platform provides the core services necessary for the management of application-oriented services. A security vulnerability exists in the REST API of multiple F5 BIG-IQ products, which can be exploited by a remote attacker to obtain an authentication token for any user by guessin...

SUSE-SU-2015:0945-1 Security update for spacewalk-java, spacewalk-setup

The spacewalk-java and spacewalk-setup packages were updated to fix one security issue: CVE-2014-8162: RPC API XML External Entities file disclosure. bsc922525 Security Issues: CVE-2014-8162...

Home Automation Protocol Z-Way Vulnerable to Remote Attacks

A researcher is warning users of the extensible Z-Way controller project that a weakness built into the software could inherently expose it to attacks. Z-Way is the controller and abstraction layer of software that handles Z-Wave, a standard for wireless communication between devices in smart...

Multiple Cross-Site Request Forgery Vulnerabilities in Cisco Unified MeetingPlace Server

Cisco Unified MeetingPlace conferencing solutions allow organizations to host integrated voice, video, and web conferences. Multiple cross-site request forgery vulnerabilities exist in the API functionality in Cisco Unified MeetingPlace version 8.6 1.9, which can be exploited by a remote attacker...

Moonpig API Vulnerability Exposes Payment Card Data

Moonpig, a U.K.-based company that sells personalized greeting cards, mugs, t-shirts and other novelties, has been taken to the woodshed for poor security practices by a researcher who claims it’s simple to pilfer user and payment card data through a wonky mobile app API. The company this morning...

CVE-2014-8025

The API in the Guest Server in Cisco Jabber, when HTML5 is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP 1 GET or 2 POST response, aka Bug ID CSCus19801...

SAP SQL Anywhere .NET Data Provider Column Alias Stack Buffer Overflow Code Execution Vulnerability

This allows attackers to execute arbitrary code on applications which pass user provided data to the vulnerable API in SAP SQL Anywhere. The specific flaw exists within the handling of column aliases. If an application allows untrusted input to be used as the column alias in a query, even if the...

Cross site scripting

Cross-site scripting XSS vulnerability in models/issue.go in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown...

CVE-2014-7823

The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIRDOMAINXMLMIGRATABLE flag, which triggers the use of the VIRDOMAINXMLSECURE flag...

Drupal Releases Security Advisory

Drupal has released a security advisory to address an application program interface API vulnerability CVE-2014-3704 that could allow an attacker to execute arbitrary SQL commands on an affected system. This vulnerability affects all Drupal core 7.x versions prior to 7.32. US-CERT advises users an...

MS Windows 2000/NT 4/XP Window Message Subsystem Design Error Vulnerability (8)

No description provided by source. source: http://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based...

Code injection

The API in Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X does not prevent access to unmapped memory, which allows attackers to execute arbitrary code via unspecified API calls...