CVE-2016-3072

CVE-2016-3072 is evidenced by multiple sources describing SQL injection in Katello’s API (scoped_search in app/controllers/katello/api/v2/api_controller.rb) allowing authenticated remote users to inject SQL via sort_by or sort_order. Connected advisories (GHSA-527R-MFMJ-PRQF, GHSA-JX5V-788G-QW58)...

api.smule.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-157445 Description| Value ---|--- Affected Website:| api.smule.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

Protecting Cloud APIs Critical to Mitigating Total Compromise

When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven’t kept pace. While individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure – an...

api.gruvvin.com XSS vulnerability

Vulnerable URL: http://api.gruvvin.com/showpage.php?showinfoid=%22%3E%3Csvg/onload=prompt%28/OPENBUGBOUNTY/%29%3E Details: Description| Value ---|--- Patched:| No Latest check for patch:| 26.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not...

Bumble: Password modification without knowing actual password & httpOnly bypass

Two issues: Session cookie is returned in HTML source code of /encounters page, which would allow an XSS attacker to steal it, even if httpOnly is activated. A secret value, present in HTML source code of some api.phtml pages, can be used to modify user's password without knowing actual one...

VK.com: Дорк

Привет команда ВК вводим в гугл site:api.vk.com получаем список ссылок сужаем запрос site:api.vk.com accesstoken Получаем ссылки с accesstoken...

api.forismatic.com XSS vulnerability

Vulnerable URL: http://api.forismatic.com/api/1.0/?method=getQuote=jsonp〈=en=%22%3E%3Csvg/onload=prompt%28/XSSPOSED/%29%3E Details: Description| Value ---|--- Patched:| No Latest check for patch:| 26.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown /...

phpyun v4.0 api/locoy/model/news.class.php SQL注入漏洞

No description provided by source...

api.txtlocal.com XSS vulnerability

Open Bug Bounty ID: OBB-104968 Description| Value ---|--- Affected Website:| api.txtlocal.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Shopify: Bypass access restrictions from API

This issue allowed users with limited access to login into a Shopify Mobile application, capture their own access token, and perform queries against Shopify's API in order to create new users with full access, or delete other users. An additional issue was reported, where users with no access cou...

[SECURITY] Fedora 20 Update: php-ZendFramework-1.12.9-1.fc20

Extending the art & spirit of PHP, Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorou sly tested agile code base. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and...

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...

Moderate: Red Hat Security Advisory: Red Hat Enterprise Virtualization Manager 3.4.0 update

Red Hat Enterprise Virtualization Manager 3.4 is now available. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each vulnerability from the CV...

Fedora 20 : mediawiki-1.21.6-1.fc20 (2014-3338)

bug 60771 SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non-whitelisted namespace. - bug 61346 SECURITY: Make token comparison use constant time. It seems like our token...

CVE-2014-2244

Cross-site scripting XSS vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in t...

Cross site scripting

Cross-site scripting XSS vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in t...

Facebook Fixes CSRF Vulnerability in Instagram

Until last week, some parts of the API that Instagram uses were vulnerable to a cross-site request forgery CSRF attack, something that could have put photos users thought were private, out in the open. It took almost six months but Facebook, the photo sharing application’s parent company, patched...

CVE-2013-4182

CVE-2013-4182 affects Foreman prior to 1.2.2, specifically the API at /api/v1/hosts handled by hosts_controller.rb, where access checks were insufficient. This allowed remote attackers to access arbitrary hosts via the API request. The publicly documented remediation is to upgrade to Foreman 1.2....

shopEx 4.8.5 /api_b2b_2_0_payment_cfg.php SQL 注入

缺陷文件： \core\api\payment\2.0\apib2b20paymentcfg.php core\api\payment\1.0\apib2b20paymentcfg.php 第44行 $data'columns' 未做过滤导致注入 code?php settimelimit0; obflush; echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns= from sdbpaymentcfg WHERE 1 and select 1 fromselect count,concatselect select SELE...

CVE-2013-2546

The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAPNETADMIN capability...