144 matches found
CVE-2025-27154 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...
CVE-2025-27154 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...
CVE-2025-27154
Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...
Spotipy -- Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
[email protected] reports: Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw-----...
CVE-2024-52528
CVE-2024-52528 affects Budget Control Gateway, a gateway component routing requests to Budget Control microservices. The root cause is improper validation of auth tokens, which can let attackers bypass access restrictions. Affects Budget Control Gateway versions prior to 1.5.2; CVSS 4.0 base scor...
CVE-2024-52528 Auth Token can be passed dummy or wrong the middleware response is 200 OK
Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget Control. Budget Control Gateway does not properly validate auth tokens, which allows attackers to bypass intended restrictions. This vulnerability is fixed in 1.5.2...
CVE-2024-52528 Auth Token can be passed dummy or wrong the middleware response is 200 OK
Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget Control. Budget Control Gateway does not properly validate auth tokens, which allows attackers to bypass intended restrictions. This vulnerability is fixed in 1.5.2...
CVE-2024-52528 Auth Token can be passed dummy or wrong the middleware response is 200 OK
Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget Control. Budget Control Gateway does not properly validate auth tokens, which allows attackers to bypass intended restrictions. This vulnerability is fixed in 1.5.2...
Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)
A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents1 or a...
aldryn-django (=4.2.10.0), am-report (=0.1.5) +81 more potentially affected by CVE-2024-41990 via django (>=4.2.0 <=4.2.14)
django PYPI version =4.2.0, =7.5.1, =0.0.1, =0.4.0, =5.2.0, =0.5.1, =0.12.2, =3.1.0, =7.2.2, =39.1.0, =39.1.4 and more Source cves: CVE-2024-41990 Source advisory: OSV:PYSEC-2024-68...
aldryn-django (=4.2.10.0), am-report (=0.1.5) +81 more potentially affected by CVE-2024-38875 via django (>=4.2.0 <=4.2.13)
django PYPI version =4.2.0, =7.5.1, =0.0.1, =0.4.0, =5.2.0, =0.5.1, =0.12.2, =3.1.0, =7.2.2, =39.1.0, =39.1.4 and more Source cves: CVE-2024-38875 Source advisory: OSV:PYSEC-2024-56...
Malicious code in driverless-acquisition-blue-auth-token-validator (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-2268 Malicious code in driverless-acquisition-blue-auth-token-validator (npm)
--- -= Per source details. Do not edit below this line.=-...
CVE-2024-37150 Private npm registry support used scope auth token for downloading tarballs
An issue in .npmrc support in Deno 1.44.0 was discovered where Deno would send .npmrc credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private...
CVE-2024-37150 Private npm registry support used scope auth token for downloading tarballs
An issue in .npmrc support in Deno 1.44.0 was discovered where Deno would send .npmrc credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private...
Mozilla: sentry Auth Token exposed publicly in docker hub image
The Sentry authentication token was exposed publicly in Docker Hub images belonging to the Taskcluster project. The token was found in the source code of the images and was still active, allowing access to the Sentry API...
CVE-2024-27932 Deno's improper suffix match testing for DENO_AUTH_TOKENS
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An aut...
CVE-2024-27932 Deno's improper suffix match testing for DENO_AUTH_TOKENS
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An aut...
CVE-2024-27932
The CVE-2024-27932 issue affects Deno (JavaScript/TypeScript/Wasmtime runtime). The vulnerability arises from an improper check in the import descriptor hostname logic (in the auth_tokens.rs path) where a token hostname is not correctly constrained to its domain, allowing a token intended for exa...
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin
Impact SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be...