CVE-2024-26310

Archer Platform 6.8 before 6.14 P2 6.14.0.2 contains an improper access control vulnerability. A remote authenticated malicious user could potentially exploit this to gain access to API information that should only be accessible with extra privileges...

OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295)

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or...

Wallarm to Unveil New API Security Solution and Strategic Shift at Black Hat Europe 2023

If you're involved with cybersecurity and are based in Europe, then Black Hat Europe 2023 in London, December 6 and 7 is a must-attend event. Wallarm, the experts in API and Application Security, will be attending the event, and we're excited to connect with you. If you are planning to attend, co...

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Microsoft WDAC OLE DB provider for SQL Server is an API from Microsoft Corporation USA that allows access to data from a variety of sources in a unified way. A remote code execution vulnerability exists in Microsoft WDAC OLE DB provider for SQL Server, which can be exploited by an attacker to...

CVE-2022-3683 SDM600 API web services authorization validation

A vulnerability exists in the SDM600 API web services authorization validation implementation. An attacker who successfully exploits the vulnerability could read data directly from a data store that is not restricted, or insufficiently protected, having access to sensitive data. This issue...

SUSE CVE-2023-1232

Insufficient policy enforcement in Resource Timing in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to obtain potentially sensitive information from API via a crafted HTML page. Chromium security severity: Low...

DEBIAN-CVE-2023-1232

Insufficient policy enforcement in Resource Timing in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to obtain potentially sensitive information from API via a crafted HTML page. Chromium security severity: Low...

UBUNTU-CVE-2023-1233

Insufficient policy enforcement in Resource Timing in Google Chrome prior to 111.0.5563.64 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from API via a crafted Chrome Extension. Chromium security severity: Low...

SUSE CVE-2018-18837

An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of webclientapirequestv1data in web/api/webapiv1.c...

SUSE CVE-2019-2602

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE subcomponent: Libraries. Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via...

Vulnerabilities fixed in Sophos firewall

Sophos has fixed several vulnerabilities in Sophos firewall. A malicious party could exploit the vulnerabilities to obtain system data through API calls and Cross-Site-Scripting XSS attacks. In addition, arbitrary code can be executed if the malicious party has gained management rights or gained...

DEBIAN-CVE-2022-3444

Insufficient data validation in File System API in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to bypass File System restrictions via a crafted HTML page and malicious file. Chromium security severity: Low...

Liferay Portal and Liferay DXP Fails to Sanitize API Data

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 19, and 7.2 before fix pack 7, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers...

GHSA-8J5R-9687-88W5 Liferay Portal and Liferay DXP Fails to Sanitize API Data

Liferay Portal 7.x before 7.3.2, and Liferay DXP 7.0 before fix pack 92, 7.1 before fix pack 19, and 7.2 before fix pack 7, does not sanitize the information returned by the DDMDataProvider API, which allows remote authenticated users to obtain the password to REST Data Providers...

CVE-2022-23443

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests...

CVE-2022-23443

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests...

Thanks for sharing!

Thanks for sharing! I also wrote about \u encoding several times https://lab.wallarm.com/what-stealthy-attacks-are-hiding-in-api-data%E2%80%8A-%E2%80%8Aand-why-do-most-waf-miss-them-c9f59e865d74/ That’s why we implemented parsers in Wallarm...

CVE-2020-25638

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized...

PT-2020-2594

Name of the Vulnerable Software and Affected Versions Java SE versions 7u251, 8u241, 11.0.6, and 14 Java SE Embedded version 8u241 Description The issue is related to the Security component of Oracle Java SE and Java SE Embedded, allowing an unauthenticated attacker with network access via multip...

Smart Lock Turns Out to be Not So Smart, or Secure

Researchers are warning a keyless smart door lock made by U-tec, called Ultraloq, could allow attackers to track down where the device is being used and easily pick the lock – either virtually or physically. Ultraloq is a Bluetooth fingerprint and touchscreen door lock sold for about $200. It...