138 matches found
Enhanced API Scanning with Postman Support in Qualys WAS
Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever. Automated testing of APIs is a little trickier than for web applications. You can't simply enter a starting URL for the scanner and click "Go"...
ACT Platform - Open Platform For Collection And Exchange Of Threat Intelligence Information
Semi-Automated Cyber Threat Intelligence ACT is a research project led by mnemonic as with contributions from the University of Oslo, NTNU, Norwegian Security Authority NSM, KraftCERT and Nordic Financial CERT. The main objective of the ACT project is to develop a platform for cyber threat...
CVE-2019-1003001
A flaw was found in Jenkins Pipeline. In the Declarative plugin, the script sandbox protection could be circumvented during the script compilation phase by applying AST. Both the pipeline validation REST APIs and the actual script/pipeline execution are affected. This allows users with Overall/Re...
Description of the security update for SharePoint Enterprise Server 2016: February 13, 2018
None None...
Securing Container Deployments with Qualys
With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and...
Security Bulletin: Missing authorization concept for IBM Business Process Manager (BPM) User Attributes CVE-2014-0908
Summary The User Attribute feature in IBM Business Process Manager does not have an authorization concept. Vulnerability Details As a consequence, each user can read and update their own attribute values and the attribute values for another user by using REST APIs. However, there are...
CVE-2017-16018
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
CVE-2017-16018
Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...
Intentionally Insecure Webapp for Security Training: OWASP Juice Shop
OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. It was the first application written entirely in JavaScri...
CVE-2017-8013
EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password...
Hardcoded credentials
EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password...
CVE-2017-8013
CVE-2017-8013 affects EMC Data Protection Advisor 6.3.x (before patch 67) and 6.4.x (before patch 130). Root cause: undocumented accounts with hard-coded passwords (Apollo System Test, emc.dpa.agent.logon, emc.dpa.metrics.logon) enabling access via REST APIs and potentially administrative privile...
Description of the security update for SharePoint Enterprise Server 2016: March 13, 2018
None None...
CVE-2018-7272
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file...
Cross site request forgery (csrf)
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file...
Personalized User Focused Security: Stethoscope
Stethoscope is a web application that collects information from existing device data sources e.g., JAMF or LANDESK on a given user’s devices and gives them clear and specific recommendations for securing their systems. Stethoscope consists of two primary pieces: a Python-based back-end and a...
Fedora 18 : ReviewBoard-1.7.16-2.fc18 / python-djblets-0.7.21-1.fc18 (2013-18911)
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of...
Fedora 19 : ReviewBoard-1.7.16-2.fc19 / python-djblets-0.7.21-1.fc19 (2013-18931)
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of...