PYSEC-2020-71

In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution...

Stronger Together, Red Hat 3scale Integration

Most enterprises today rely on customers accessing their applications to conduct daily business. These enterprises know by now that application programming interfaces APIs are becoming more common than ever before to enable communication between applications and end users. Even though they are...

CB Customer Spotlight: Q&A with Netflix DVD’s Jimmy Sanders

Recently we sat down with Jimmy Sanders, VP of Information Security at Netflix DVD, to talk about his upcoming presentation for CB Connect, Carbon Black’s customer conference. Sanders was one of the headliners at CB Connect 2018, and this year he will be speaking to his peers in the Security...

MAGA 'Safe Space' App Developer Threatens Security Researcher

UPDATE A newly released 63red Safe mobile app that aims to help wary Trump supporters find “safe” and conservative-friendly places to wear Make America Great Again MAGA gear turns out to have a host of security issues, according to one researcher. Meanwhile, Scott Wallace, the Oklahoma-based mobi...

Deserialization of Untrusted Data in swagger-parser

A vulnerability in Swagger-Parser's version = 1.0.30 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen = 2.2.2 and can lead to...

vertx: API Validation XML Schemas do not forbid file system access

In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema...

WordPress: Open API For Username enumeration

We Can do username enumeration, Reproduce: 1. Go any wordpress site. 2.www.site.com/?author=1 type ?author=1 at end of site 3. You will get www.site.com/author/admin now, admin is username of login panel of that site Thanks, Sameer Phad Impact -...

Imperva Python SDK – We’re All Consenting SecOps Here

Managing your WAF can be a complicated task. Custom policies, signatures, application profiles, gateway plugins… there’s a good reason ours is considered the best in the world. Back when security teams were in charge of just a handful of WAF stacks and a few dozen applications, things were...

CVE-2017-1000207

A vulnerability in Swagger-Parser's version = 1.0.30 and Swagger codegen version = 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in...

Design/Logic Flaw

A vulnerability in Swagger-Parser's version = 1.0.30 and Swagger codegen version = 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in...

CVE-2017-1000207

A vulnerability in Swagger-Parser's version = 1.0.30 and Swagger codegen version = 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in...

CVE-2017-1000208

A vulnerability in Swagger-Parser's version = 1.0.30 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen = 2.2.2 and can lead to...

CVE-2017-1000208

A vulnerability in Swagger-Parser's version = 1.0.30 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen = 2.2.2 and can lead to...

Design/Logic Flaw

A vulnerability in Swagger-Parser's version = 1.0.30 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen = 2.2.2 and can lead to...

CVE-2017-1000208

A vulnerability in Swagger-Parser's version = 1.0.30 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen = 2.2.2 and can lead to...

CVE-2017-1000208

CVE-2017-1000208 involves Swagger-Parser 1.0.30 and earlier with YAML parsing that enables arbitrary code execution when processing crafted OpenAPI specs. It impacts Swagger Codegen commands generate/validate (

JSON Swagger CodeGen Parameter Injector

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Gems require 'base64' Project require 'msf/core' class MetasploitModule 'JSON Swagger CodeGen Parameter Injector', 'Description' = %q This module generates a Open API...

JSON Swagger CodeGen Parameter Injector

This module generates an Open API Specification 2.0 Swagger compliant json document that includes payload insertion points in parameters. In order for the payload to be executed, an attacker must convince someone to generate code from a specially modified swagger.json file within a vulnerable...

JSON Hijacking of use as well as Web API security-vulnerability warning-the black bar safety net

by:cosine JSON Hijacking what role, as a black brother said, You can CSRF to give the user privacy data: a. The principle of the last presentation, first take a attack example, take the meal to do an experiment. First of all, we see this:http://help.fanfou.com/api.html. Rice no API. Wherein:...

CVE-2007-6500

Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to delete "gateway information" via a request to OpenApi/GatewayVariables.asp...