CVE-2022-24124

Casdoor prior to 1.13.1 is affected by an unauthenticated SQL injection in the query API (api/get-organizations) via the field and value parameters. The Nuclei template and related proofs indicate an unauthenticated remote injection that can dump database information and potentially lead to data ...

CVE-2021-46561

controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achieve unintended access within the context of that new...

CVE-2022-21282

CVE-2022-21282 is a combined Java/Oracle Java SE/GraalVM issue reported across multiple advisories. The connected documents identify assorted affected components and versions, notably: Serialization , JAXP , Libraries , Hotspot , and ImageIO within Oracle Java SE and GraalVM Enterprise Edition. A...

What is API Abuse ❓ Prevention measures.

APIs are paramount for constructing a steadfast and constant communication bridge that empowers devices to pass-on desired information seamlessly. Hackers adopt many ways to exploit the APIs and corrupt the targeted device. This API exploitation is a potential threat to API security and needs...

CVE-2021-27738

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification...

2021 in Review, Part 3: 5 Things Security Professionals Were Discussing this Year

Today, everyone is talking about CVE-2021-44228, and with good reason. But before that, here were five of the issues that dominated virtual “water cooler talk” in 2021: 5. Data security in the cloud Champion heavyweight boxer Mike Tyson said, “Everyone has a plan until they get punched in the...

API Portal: Introduction, Usage and Security Tips

As the name suggests, an API Portal is an intermediary used for connecting API suppliers and end-users. Situated on the company’s website, it’s a document featuring the key usages of API. While one tries to grasp the essence of API and its usage, knowing properly about API Portal is essential, as...

CoAP Protocol: Definition, Architecture

Professionals involved in IoT network designing or development must have come across CoAP. A dedicatedly set standard by IETF, it works the best when it comes to constrained IoT-enabled solutions. To make you understand CoAP Constrained Application Protocol better, we have prepared this post,...

Sql injection

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other A...

Observable Discrepancy

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

CVE-2021-43176

The CVE-2021-43176 entry describes a GOautodial API vulnerability: prior to commit 3c3a979 (Oct 13, 2021), the API accepts a user-supplied action parameter and appends .php to locate/load a PHP file, without sanitizing the action input. This allows an attacker to execute any PHP source file prese...

CVE-2021-43679

CVE-2021-43679 affects ecshop v2.7.3. A SQL injection vulnerability exists in shopex\ecshop\upload\api\client\api.php, stemming from lack of input validation in database queries and allowing arbitrary SQL execution per referenced CNVD/CVE entries. The CVSS metrics indicate high severity (CRITICAL...

CVE-2021-43686

CVE-2021-43686 affects nZEDb v0.4.20. The vulnerability is a Cross Site Scripting (XSS) in www/pages/api.php where the exit function terminates the script and prints the value provided via the input parameter $_GET['t']. The root cause is improper handling/filtering of input data in that path, en...

Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary Unauthorized access to data from the following API even if the public.access.disabled is enabled. /rest/api/2/projectCategory /rest/api/2/resolution /rest/menu/latest/admin h3. Steps to Reproduce - Install Jira 8.13.9 with H2 database - Create a project and some Project categori...

API Security Tutorial

Historial API Evolution As per the documented history, the occurrence of web APIs transpired towards the end of 1990 with the launch of Salesforce’s sales automation solution. At that point in time, it was an open resource, awarded to everyone. Salesforce’s automation tool was XML-driven and the...

Differences SOAP vs REST: Comparison of protocols and their security

SOAP and REST are two of the most used terms in the API development sector. If you don’t have thorough knowledge of the two, you may wonder: Why should a developer choose and ditch others? Can these two be used at a time? …and so on. Well, it’s a lot of information and is covered bit by bit in th...

How to Defend against App Impersonation in 2021

Most users who install applications through legitimate channels such as the Google Play Store or the Apple Store do so with complete trust that their information is safe from malicious attacks. This makes sense, because they’re the official app stores for across the globe. However, despite tight...

CVE-2021-41252

Kirby CMS vulnerability CVE-2021-41252 affects the writer field in Kirby’s site frontend: unsanitized HTML content can be injected and executed as XSS when a logged-in Panel user saves content via the API. The issue stems from inadequate escaping of HTML in the writer field, enabling malicious HT...

Our journey to API security at Raiffeisen Bank International

This article was written by Peter Gerdenitsch, Group CISO at Raiffeisen Bank International, and is based on a presentation given during Imvision's Executive Education Program, a series of events focused on how enterprises are taking charge of the API security lifecycle. Launching the "Security in...

Predicting the Next OWASP API Security Top 10

As a long-time OWASP member and application security practitioner, I wanted to share my thoughts on how the newly released OWASP Web App Top 10 might impact or influence the updates to the API Security Top 10, last released back in December 2019. These lists cover the most common causes for...