EUVD-2024-55056

Nagios XI versions prior to 2024R1.1.2 may confirmed in 2024R1.1 and 2024R1.1.1 disclose sensitive user account information including API keys and hashed passwords to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account...

PT-2025-44662

Name of the Vulnerable Software and Affected Versions LogicalDOC Community Edition versions up to 9.2.1 Description A flaw exists in the API Key creation UI component that allows for cross site scripting. Remote exploitation is possible. The issue has been publicly disclosed, and the vendor was...

PT-2025-44671

Name of the Vulnerable Software and Affected Versions Summer Pearl Group Vacation Rental Management Platform versions prior to 1.0.2 Description The Summer Pearl Group Vacation Rental Management Platform is affected by inadequate server-side authorization. Authenticated attackers can access and...

LogicalDOC Community Edition 代码注入漏洞

LogicalDOC Community Edition is a documentation system from LogicalDOC Italy. A code injection vulnerability exists in LogicalDOC Community Edition 9.2.1 and earlier versions, which stems from a cross-site scripting vulnerability in the API Key creation UI component...

Ubiquiti多款产品 安全漏洞

Ubiquiti UniFi Talk Touch, among others, is an IP phone from Ubiquiti USA. A security vulnerability exists in various Ubiquiti products, which stems from an unintentional enablement of the internal debugging feature, which could allow an attacker to invoke internal debugging operations via the...

CVE-2025-34283 Nagios XI < 2024R1.4.2 API Key Disclosure via Neptune Themes

Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value...

PT-2025-44494

Name of the Vulnerable Software and Affected Versions Nagios Log Server versions prior to 2024R1 Description Nagios Log Server versions prior to 2024R1 have an incorrect authorization issue. Users without the necessary API permissions could access API endpoints, leading to unauthorized data acces...

PT-2025-44521

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2024R1.4.2 Description Nagios XI versions prior to 2024R1.4.2 had a flaw where API keys were exposed to users lacking the necessary API access permissions when utilizing Neptune themes. An authenticated user, even...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from not properly negotiating supported features, which could lead to API compatibility issues...

CVE-2025-61119

CVE-2025-61119 affects Kanova Android App v1.0.27 (package com.karelane) by Karely L.L.C. The issue is improper access control that allows attackers to manipulate API request parameters to access user details and group information (including entry codes). Documented impact includes privacy breach...

CVE-2025-62368

Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0...

API Attack Awareness: Business Logic Abuse — Exploiting the Rules of the Game

As Cybersecurity Awareness Month continues, we wanted to dive even deeper into the attack methods affecting APIs. We’ve already reviewed Broken Object Level Authentication BOLA, injection attacks, and authentication flaws; this week, we’re exploring business logic abuse BLA. Unlike technical flaw...

CVE-2025-62259

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote...

CVE-2025-62367

Taiga (open source project management platform) – CVE-2025-62367 affects Taiga API in versions 6.8.3 and earlier, where a time-based blind SQL injection can disclose sensitive data via response timing. Root cause: improper handling of API input enabling blind SQL injection. Impact: potential expo...

CVE-2025-59461

A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services...

CVE-2025-41090 Improper Access Control in CCN-CERT microCLAUDIA

microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a...

CVE-2025-34293

GN4 Publishing System versions prior to 2.6 contain an insecure direct object reference IDOR vulnerability via the API. Authenticated requests to the API's object endpoints allow an authenticated user to request arbitrary user IDs and receive sensitive account data for those users, including the...

EUVD-2025-35966

Insertion of Sensitive Information Into Sent Data vulnerability in airesvsg ACF to REST API acf-to-rest-api allows Retrieve Embedded Sensitive Data.This issue affects ACF to REST API: from n/a through = 3.3.4...

PT-2025-43925

Name of the Vulnerable Software and Affected Versions affected versions not specified Description A remote, unauthenticated attacker may be able to access or modify sensitive data and disrupt services by leveraging the unauthenticated C++ API. Recommendations At the moment, there is no informatio...

CVE-2023-37749

Incorrect access control in the REST API endpoint of HubSpot v1.29441 allows unauthenticated attackers to view users' data without proper authorization...