CVE-2025-49183 Unencrypted communication (HTTP)

All communication with the REST API is unencrypted HTTP, allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files...

[PUNCIA] [CWE-319] Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS`

Impact APIURLS is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. References ISSUE PATCH...

REST-Attacker - Designed As A Proof-Of-Concept For The Feasibility Of Testing Generic Real-World REST Implementations

REST-Attacker is an automated penetration testing framework for APIs following the REST architecture style. The tool's focus is on streamlining the analysis of generic REST API implementations by completely automating the testing process - including test generation, access control handling, and...

CVE-2021-36460

VeryFitPro com.veryfit2hr.second 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's...

ZTE MF971R Referer authentication bypass vulnerability

Summary An exploitable Referer mitigation bypass vulnerability exists in ZTE MF971R LTE router version wainnerversion:BDPLKPLMF971R1V1.0.0B06. A specially-crafted HTTP request can bypass Referer-based mitigation. An attacker needs to provide a URL to the victim to trigger the vulnerability. Teste...

Acronis: Local Privilege Escalation in anti_ransomware_service.exe via quarantine

antiransomwareservice.exe includes a functionality to quarantine files which will copy the suspected ransomware file from one directory to another using SYSTEM privileges. As any unprivileged user has write permissions in the quarantine folder, it is possible to control this privileged write with...

Foxit PDF Reader, PhantomPDF Open to Remote Code Execution

Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. The most severe of the bugs, which exist on Windows versions of the software, enable a remote attacker to execute arbitrary code on vulnerable systems. Overall, Foxit Software...

What stealthy attacks are hiding in API data — and why do most WAF miss them?!

What stealthy attacks are hiding in API data — and why do most WAF miss them?! API Data: What is it and how is it saying it? APIs are the blood flow of today’s applications — from online browser-based apps to mobile apps to sophisticated distributed enterprise applications connecting dozens of...

Yahoo Fantasy Football Mobile App Vulnerable to Attack

All but the most recent version of the mobile application for Yahoo’s popular fantasy football service are vulnerable to a session hijack attack in which an unauthenticated person could remotely change team lineups, post messages and perform other mischief on behalf of the legitimate user...