735 matches found
CVE-2024-23687
CVE-2024-23687 affects the FOLIO module-data-export-spring. The issue arises from hard-coded credentials in the module, allowing unauthenticated access to critical APIs and enabling modification of user data, configurations (including single sign-on), and fees/fines. Affected versions are before ...
CVE-2024-23329 changedetection.io API endpoint is not secured with API token
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...
api.servicetrade.com Cross Site Scripting vulnerability OBB-3838239
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Cross site request forgery (csrf)
pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...
CVE-2024-22416
Affected software: pyLoad (Python-based download manager). Vulnerability: CSRF in the pyload API where GET requests can be used without SameSite cookie protection, allowing any API call by an unauthenticated user. This has been addressed in release 0.5.0b3.dev78, and all users are advised to upgr...
CVE-2024-22406 Blind SQL-injection in DAL aggregations in Shopware
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations...
api.presseportal.de Cross Site Scripting vulnerability OBB-3831900
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Wallarm Named a Leader in GigaOm Radar for API Security
I am thrilled to share that Wallarm, has been named a leader in the GigaOm Radar for API Security! We would like to share insights from the recent GigaOm 2023 API Security Radar report, particularly shining a spotlight on our Advanced API Security solution. The growing importance of APIs and API...
api.sms.army Cross Site Scripting vulnerability OBB-3829347
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Addressing the Rising Threat of API Leaks
In the realm of cybersecurity, the metaphor of "Leaky Buckets" has become an increasingly prevalent concern, particularly in the context of API security. This term encapsulates the hidden vulnerabilities and exposures in API infrastructures that many organizations struggle to identify and address...
The Do’s and Don’ts of Modern API Security
...
CVE-2023-23584
An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. This issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 MR2, 8.60 prior to vEL8.60.2039 MR4, all...
Workflows do not require password confirmation on API level
None...
api2.open-bible.fr Cross Site Scripting vulnerability OBB-3817473
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
api.pamfax.biz Cross Site Scripting vulnerability OBB-3807576
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
CVE-2023-48866
CVE-2023-48866 is an XSS flaw in Grocy ≤ 4.0.3, affecting the recipe preparation endpoint (/api/objects/recipes) and the note component (/api/objects/shopping_lists/). The vulnerability allows attackers to obtain a victim’s cookies. The available connected sources confirm the affected software/ve...
Wallarm to Unveil New API Security Solution and Strategic Shift at Black Hat Europe 2023
If you're involved with cybersecurity and are based in Europe, then Black Hat Europe 2023 in London, December 6 and 7 is a must-attend event. Wallarm, the experts in API and Application Security, will be attending the event, and we're excited to connect with you. If you are planning to attend, co...
CVE-2023-47643
SuiteCRM before 8.4.2 exposes GraphQL schema via unauthenticated Graphql Introspection, allowing an attacker to enumerate all object types, arguments, and functions (including sensitive fields such as UserHash). This is documented across multiple sources (NVD, Red Hat, OSV, and a dedicated Nuclei...
Mozilla: Exposure of account recovery hint by querying by user email
The account recovery hint was exposed by querying the API with a user email. This allowed obtaining the hint and could enable phishing attacks...
CVE-2023-48198
A Cross-Site Scripting XSS vulnerability in the 'product description' component within '/api/stock/products' of Grocy version = 4.0.3 allows attackers to obtain a victim's cookies...