Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities

Summary IBM API Connect has addressed the following vulnerabilities. API Connect Portal is affected by multiple Drupal vulnerabilities. Vulnerability Details Vulnerability Details CVEID:CVE-2017-6924 DESCRIPTION: Drupal could allow a remote attacker to bypass security restrictions, caused by a fl...

Security Bulletin: Incorrect authorization for update of process instance variables in IBM Business Process Manager (CVE-2016-0349)

Summary Due to incorrect authorization for update of process instance variables, users without required permission can update process instance variables in IBM Business Process Manager. Vulnerability Details CVEID: CVE-2016-0349 DESCRIPTION: IBM Business Process Manager allows authenticated users...

Security Bulletin: Insufficient authorization in Service REST API and cross site scripting vulnerability in REST API affecting IBM Business Process Manager (CVE-2015-1905, CVE-2015-1906)

Summary IBM Business Process Manager REST API is vulnerable to cross site scripting due to insufficiently restricted parameter values for controlling content types. IFixes shipped with this advisory also close an additional vulnerability due to insufficient authorization checks on interacting wit...

Security Bulletin: Insufficient authorization check in IBM Business Process Manager (BPM) Search REST API (CVE-2014-6139)

Summary Using the Search REST API, non-administrative users can search for task and process instances that they are not allowed to see by specifying a parameter that should be available only to administrative users. Vulnerability Details CVE ID: CVE-2014-6139 CVSS Base Score: 3.5 CVSS Temporal...

Design/Logic Flaw

i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of...

CVE-2016-10524

i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of...

CVE-2016-10524

i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of...

CVE-2016-10524

i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of...

Google Patches reCAPTCHA Bypass

Google has fixed a bypass for its reCAPTCHA authentication mechanism – the Turing test-based methodology for proving that website users aren’t robots, commonly spotted on log-in pages online. The news comes as Google releases a new version of reCAPTCHA in beta. Google has been working on refining...

Cross site request forgery (csrf)

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information i.e., determine if a username is valid because of profile pictures visibility...

CVE-2018-10732

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information i.e., determine if a username is valid because of profile pictures visibility...

CVE-2018-10732

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information i.e., determine if a username is valid because of profile pictures visibility...

CVE-2018-10732

Dataiku DSS REST API (affected product: Dataiku DSS) prior to version 4.2.3 is affected. The vulnerability arises from profile pictures visibility in the REST API, enabling remote attackers to determine whether a username is valid (information disclosure). The root cause is insufficient access co...

Any user able to manage space watcher using REST API

h3. Summary Any Confluence user is able to manage Space Watcher by using REST API h3. Steps to Reproduce Create a user that belongs to the "confluence-users" group example: user1 Using an Adminstrator user, create a new space and restrict the space to the administrator user As the normal user...

Burpa - A Burp Suite Automation Tool

A Burp Suite Automation Tool With Slack Integration. Requirements burp-rest-api Burp Suite Professional slackclient Usage $ python burpa.py -h / / / / / / / / / / / // / // / / / // / // / /./,// / ./,/ // burpa version 0.1 / by 0x4D31 usage: burpa.py -h -a scan,proxy-config,stop -pP PROXYPORT...

Archerysec - Open Source Vulnerability Assessment And Management Helps Developers And Pentesters To Perform Scans And Manage Vulnerabilities

Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web application and network. It also performs web application dynami...

WordPress 4.7.x < 4.7.2 REST API 'id' Parameter Privilege Escalation

The WordPress application running on the remote web server is version 4.7.x prior to 4.7.2. It is, therefore, affected by a privilege escalation vulnerability in the REST API due to a failure to properly sanitize user- supplied input to the 'id' parameter when editing or deleting blog posts. An...

LocalTapiola: Wordpress Users Disclosure (/wp-json/wp/v2/users/)

Information Using REST API, we can see all the WordPress users/author with some of their information. Step TO Reproduce You can get user info by entering below url in your browser: https://www.lahitapiolarahoitus.fi/wp-json/wp/v2/users/ Result javascript "id": 1, "name": "LTR", "url": "",...

Imperva Python SDK – We’re All Consenting SecOps Here

Managing your WAF can be a complicated task. Custom policies, signatures, application profiles, gateway plugins… there’s a good reason ours is considered the best in the world. Back when security teams were in charge of just a handful of WAF stacks and a few dozen applications, things were...

Astra - Automated Security Testing For REST API's

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically...