Qualys released QScanner – a console vulnerability scanner for container images

QualysreleasedQScanner - a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities a la Trivy. It supports: " Local Runtimes: Scan images from Docker, Containerd, or Podman. Local Archives: Analyze Docker images or OCI layouts from local files. Remot...

GO-2024-2882 github.com/huandu/facebook may expose access_token in error message.

github.com/huandu/facebook may expose accesstoken in error message...

CVE-2024-35232

The CVE-2024-35232 issue affects github.com/huandu/facebook, a Go package for Facebook Graph API usage. The root cause is that an access_token can be exposed in error messages during HTTP request failures, enabling potential information disclosure if logs or clients capture those messages. The vu...

CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

GHSA-QHHJ-7HRC-GQJ5 Home Assistant vulnerable to account takeover via auth_callback login

Part of the Cure53 security audit of Home Assistant. The audit team’s analyses confirmed that the redirecturi and clientid are alterable when logging in. Consequently, the code parameter utilized to fetch the accesstoken post-authentication will be sent to the URL specified in the aforementioned...

CVE-2023-41893 Account takeover via auth_callback login in Home Assistant Core

Home assistant is an open source home automation. The audit team’s analyses confirmed that the redirecturi and clientid are alterable when logging in. Consequently, the code parameter utilized to fetch the accesstoken post-authentication will be sent to the URL specified in the aforementioned...

CVE-2022-30735

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the accesstoken without permission...

CVE-2022-30735

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the accesstoken without permission...

CVE-2022-30735

CVE-2022-30735 affects Samsung Account prior to version 13.2.00.6, where improper privilege management allows an attacker to obtain an access_token without permission. The root cause is privilege mismanagement in Samsung Account’s access handling. Affected component: Samsung Account authenticatio...

CVE-2021-22568

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 accesstoken that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend...

CVE-2019-13337

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter accesstoken this is the parameter used by the API. No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is...

CVE-2019-13337

WESEEK GROWI prior to 3.5.0 is affected. A flaw in site-wide basic authentication allows bypass by supplying the URL parameter access_token (the API parameter). No valid token is validated by the backend, enabling the website to be browsed as if authentication were not required. The core issue is...

Design/Logic Flaw

doorGets 7.0 has a default administrator credential vulnerability. A remote attacker can use this vulnerability to gain administrator privileges for the creation and modification of articles via an H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9 accesstoken in a uri=blog&action=index&controller=blog...

CVE-2019-11618

CVE-2019-11618 affects doorGets 7.0 and is caused by a default administrator credential vulnerability. A remote attacker can gain administrator privileges to create/modify articles by using the token H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9 in a URI (blog action to /api/index.php). Public docu...

CVE-2018-20555

The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter accesstoken, accesstokensecret, consumerkey, and consumersecret values by reading the dcwptwitter.php source code. This leads to Twitter account takeover...

CVE-2018-20555

The CVE-2018-20555 entry concerns the WordPress plugin Social Network Tabs (Design Chemical) , specifically versions around 1.7.1. The vulnerability is an information disclosure where remote attackers can read the file dcwp_twitter.php and obtain Twitter OAuth tokens and secrets (access_token, ac...

Information Disclosure

atomic-openshift is vulnerable to information disclosure. An origin validation vulnerability was found in OpenShift Enterprise. An attacker could potentially access API credentials stored in a web browser's localStorage if anonymous access was granted to a service/proxy or pod/proxy API for a...

Cross site scripting

Cross-site scripting XSS vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "accesstoken" parameter...

CVE-2017-16758

Cross-site scripting XSS vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "accesstoken" parameter...

CVE-2016-3703

Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an accesstoken in the quer...