CVE-2024-34535

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header...

End-to-End Security for APIs: From Development Through Retirement

...

CVE-2024-21545

Summary of CVE-2024-21545 (Proxmox VE) : A defect in Proxmox Virtual Environment allows an authenticated user with ‘Sys.Audit’ or ‘VM.Monitor’ privileges to read arbitrary host files via the API by leveraging the handle_api2_request logic that reads a local file when a malicious download object i...

lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)

Summary SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address. PoC 1. Ru...

GHSA-RXQ8-Q85F-M866 Prevent XSS from Confidant API call

Impact What kind of vulnerability is it? Who is impacted? Potential XSS from API calls below: GET /v1/credentials GET /v1/credentials/ GET /v1/archive/credentials/ GET /v1/archive/credentials POST /v1/credentials PUT /v1/credentials/ PUT /v1/credentials// GET /v1/services GET /v1/services/ GET...

Chicago API Security Summit 2024

Thank You Chicago! Earlier this week we had the pleasure of hosting a regional API Security Summit in Chicago well, actually in Lombard. These summits bring together the local cybersecurity community for half-day of API Security-focused content, including expert speakers and panelists. While this...

API Attack Surface: How to secure it and why it matters

Managing an organization’s attack surface is a complex problem involving asset discovery, vulnerability analysis, and continuous monitoring. There are multiple well-defined solutions to secure the attack surface, such as extended detection and response EDR or XDR, security information & event...

Best Practices to Help Meet PCI DSS v4.0 API Security Compliance

...

Inside the NIST Cybersecurity Framework 2.0 and API Security

...

How Securing APIs Factors into DORA Compliance

...

Embed API Security into Regulatory Compliance: Six Examples to Watch

Read about how to meet API-related requirements in six key regulations and frameworks to better protect your organization...

CVE-2024-44076

In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access...

Unveiling Top API Vulnerabilities and Emerging Trends: Introducing the Wallarm Q2 2024 API ThreatStats™ Report

As we move through 2024, the Wallarm Research Team continues to monitor the evolving API vulnerability and threat landscape. Our latest Q2 ThreatStats™ Report reveals critical trends and developments that are reshaping the security environment. Continuing from our Q1 findings, the surge in AI API...

Deploy API Security On-Premises with New Imperva API Security Anywhere Self-Managed Option

API Security Anywhere Self-Managed Option Imperva continues to deliver solutions that help customers protect their applications and APIs, whether in the Cloud, on-premises, or in a hybrid environment. Imperva API Security includes a SaaS-based and an on-premises solution, both managed in the...

Secure Your APIs and Reduce Your Attack Surface With Modern, AI-powered API Security in Qualys Web Application Scanning (WAS)

The rise of APIs presents both opportunities and challenges in today’s hyperconnected digital world. APIs are integral to digital transformation initiatives across industries. The latest data indicates that over 83% of web traffic now comprises API traffic, highlighting their critical role in...

TracFone will pay $16 million to settle FCC data breach investigation

Following three separate data breaches between 2021 and 2023 which exposed the proprietary information PI of TracFone Wireless customers, the Federal Communications Commission FCC announced that the Verizon-owned company has agreed to pay a $16 million civil penalty to settle the government...

How Can Deliberately Flawed APIs Help In Mastering API Security?

In our recent webinar recent webinar title 'A CISO’s Checklist for Securing APIs and Applications', we delved into the concept of creating an API security playground tailored for both developer and security teams. The core idea revolves around utilizing intentionally vulnerable APIs as training...

How Can Deliberately Flawed APIs Help In Mastering API Security?

In our recent webinar recent webinar title 'A CISO’s Checklist for Securing APIs and Applications', we delved into the concept of creating an API security playground tailored for both developer and security teams. The core idea revolves around utilizing intentionally vulnerable APIs as training...

Securing APIs While Navigating Today’s Booming API Economy

...

Measuring, Communicating, and Eliminating Risk With TruRisk™ in Qualys Web Application Scanning (WAS)

In an era where cyber threats loom larger and more complex than ever, organizations demand not just defense but intelligent, cohesive strategies for managing cyber risks. With the Enterprise TruRisk Platform, Qualys reaffirmed its commitment to these needs by focusing its cybersecurity solutions ...