Improper access control

Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper...

CVE-2019-14433

A vulnerability was found in the Nova Compute resource fault handling. The Nova Compute service might leak configuration information or other sensitive information because of a failed API request. To trigger this vulnerability, the API request needs to fail due to an external exception. The abili...

openstack-nova: Nova server resource faults leak external exception details

A vulnerability was found in the Nova Compute resource fault handling. The Nova Compute service might leak configuration information or other sensitive information because of a failed API request. To trigger this vulnerability, the API request needs to fail due to an external exception. The abili...

Information Disclosure

openstack-nova is vulnerable to information disclosure. An external exception from an API request from an authenticated user results in the leak of environment information or other confidential information such as configuration data...

Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling

Overview Boxbilling is a free billing & client management software Affected versions of this software are vulnerable to Cross-site Scripting XSS. It is possible to inject JavaScript with object decoding such as alert1 resulting in XSS. Technical Description if we look in...

CVE-2019-14433

The CVE-2019-14433 issue affects OpenStack Nova (versions before 17.0.12, 18.x before 18.2.2, 19.x before 19.0.2). It allows authenticated API requests that fault to leak environment details in responses, potentially exposing sensitive configuration data (partial confidentiality impact). Red Hat ...

CVE-2019-14433

An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensiti...

CVE-2018-18837

An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of webclientapirequestv1data in web/api/webapiv1.c...

CVE-2019-12452

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control which is contrary to the API documentation, allows remote authenticated users to discover password hashes by reading the Basic HTT...

CVE-2018-16886

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remot...

CVE-2018-1833

IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507...

Cross site request forgery (csrf)

IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507...

CVE-2018-1833

IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507...

Gatecoin: API request signature can be reused with other parameters/data than the original in certain cases

If an attacker can intercept/see an API-request from a client who has a system-clock that is slightly ahead of the server time then the attacker can re-use the API request-signature towards the same URL but with a different payload. This can for some of the endpoint lead to serious vulnerabilitie...

Werewolf Online 0.8.8 - Information Disclosure

Exploit Title: Werewolf Online 0.8.8 - Insecure Logging Date: 2018-05-24 Software Link: https://play.google.com/store/apps/details?id=com.werewolfapps.online Download Link: https://apkpure.com/werewolf-online-unreleased/com.werewolfapps.online/download?from=details Exploit Author: ManhNho Version...

ZOHO ManageEngine ServiceDesk Plus Cross-Site Scripting Vulnerability

ZOHO ManageEngine ServiceDesk Plus SDP is the United States ZhuoHao ZOHO company's set of ITIL architecture based on IT service management software ITSM. The software integrates incident management, problem management, asset management, IT project management, procurement and contract management a...

Design/Logic Flaw

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

CVE-2015-8008

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

CVE-2015-8008

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token...

Stack overflow

The remote management interface on the Claymore Dual GPU miner 10.1 allows an unauthenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the request handler. This can be exploited via a long API request that is mishandled during logging...