PT-2023-23305 · Unknown · Eventcam App

Name of the Vulnerable Software and Affected Versions: EventCam App affected versions not specified Description: A remote unprivileged attacker can modify and access configuration settings due to the absence of API authentication in the EventCam App. This lack of authentication allows the attacke...

Hardcoded credentials

MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs...

CVE-2023-33236

CVE-2023-33236 affects Moxa MXsecurity Series software v1.0, where a vulnerability involving hard-coded credentials could be exploited to craft arbitrary JWT tokens and bypass authentication for web-based APIs. The issue enables remote exploitation with low attack complexity and no user interacti...

GHSA-J5FJ-RFH6-QJ85 Planet's secret file is created with excessive permissions

Impact The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user's group and non-group to read the file as well. Validation Check the permissions on the secret file with ls -l /.planet.json and ensure th...

PT-2023-23714 · Planet · Planet

Name of the Vulnerable Software and Affected Versions: Planet versions prior to 2.0.1 Description: The issue concerns the permissions of a secret file that stores the user's Planet API authentication information. This file should only be accessible by the user, but due to incorrect permissions, i...

CVE-2023-30394

The MoveIt framework 1.1.11 for ROS allows cross-site scripting XSS via the API authentication function. NOTE: this issue is disputed by the original reporter because it has "no impact."...

CVE-2023-30394

The MoveIt framework 1.1.11 for ROS allows cross-site scripting XSS via the API authentication function. NOTE: this issue is disputed by the original reporter because it has "no impact."...

Cross site scripting

Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting XSS vulenrability via the API authentication function...

CVE-2023-30394

The MoveIt framework 1.1.11 for ROS allows cross-site scripting XSS via the API authentication function. NOTE: this issue is disputed by the original reporter because it has "no impact."...

PT-2023-22669 · Unknown · Moveit Framework

Name of the Vulnerable Software and Affected Versions: MoveIt framework version 1.1.11 Description: The issue concerns a cross-site scripting XSS flaw via the API authentication function. This allows for potential malicious script execution. No information is provided about the estimated number o...

SUSE CVE-2023-22644

A user can reverse engineer the JWT token JSON Web Token used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE...

U.S. Dept Of Defense: [U.S. Air Force] Information disclosure due unauthenticated access to APIs and system browser functions

Multiple information exposure vulnerabilities were found in a Jira Server instance, allowing unauthenticated attackers to access APIs and system browser functions, leading to unauthorized access to sensitive data. The vulnerability was registered as CVE-2020-14179...

CVE-2022-45073

Cross-Site Request Forgery CSRF vulnerability in REST API Authentication plugin = 2.4.0 on WordPress...

CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...

Apache Airflow < 1.10.11 Multiple Vulnerabilities

The version of Apache Airflow is prior to 1.10.11. It is, therefore, affected by multiple vulnerabilities, including the following: - An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it i...

CVE-2021-45900

Vivoh Webinar Manager prior to 3.6.3.0 has an improper API authentication flaw. After login to the administration configuration web portlet, a VIVOH_AUTH cookie is issued to identify users, and certain APIs can be called without proper authentication, enabling an attacker to impersonate a victim ...

CVE-2021-45900

Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOHAUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let ...

CVE-2022-0732

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...

Design/Logic Flaw

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR Insecure Direct Object Reference vulnerability...

TIBCO Security Advisory: February 15, 2022 - TIBCO AuditSafe -2022-22770

TIBCO AuditSafe API Authentication vulnerability Original release date: February 15, 2022 Lastrevised: --- CVE-2022-22770 Source: TIBCOSoftware Inc. Products Affected TIBCO AuditSafe versions 1.1.0 and below The following component is affected: Web Server Description The component listed above...