CVE-2023-26453

Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be...

CVE-2023-26452

Open-Xchange App Suite's imageconverter service is affected by an SQL injection vulnerability triggered when caching an image and returning its metadata, allowing arbitrary SQL statements to execute in the service DB user context. Exploitation requires access to adjacent networks (not exposed pub...

CVE-2023-26452

Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL...

CVE-2023-21370

In the Security Element API, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation...

Code injection

/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image...

CVE-2023-46865

Crater (Crater Invoice) up to version 6.0.6 is affected. The vulnerability exists in /api/v1/company/upload-logo (CompanyController.php) where a superadmin can trigger arbitrary PHP code execution by embedding payloads in the IDAT chunk of a PNG image used for the logo. The root cause is insuffic...

Unlocking API Security Excellence: Wallarm at OWASP Global AppSec DC 2023

If you're involved in securing APIs, applications and web applications, or looking to learn about these, then the OWASP Global AppSec DC Conference next week is a must-attend event. Wallarm, the experts in API and application security, will be there, and we're excited to connect with you on Octob...

Social Login Flaws in Popular Websites Risked Billions of User Accounts

By Deeba Ahmed The critical API security flaws in the social sign-in and OAuth Open Authentication implementations affected high-profile companies like… This is a post from HackRead.com Read the original post: Social Login Flaws in Popular Websites Risked Billions of User Accounts...

CVE-2023-5576

The WPvivid Migration, Backup, Staging plugin for WordPress is affected by CVE-2023-5576, with Google Drive API secrets stored in plaintext in the plugin source up to version 0.9.91. This could allow unauthenticated attackers to impersonate the WPvivid Google Drive account via the API if a user i...

Elevating Enterprise API Security with Wallarm for MuleSoft Anypoint Platform

In an age characterized by digital transformation, APIs serve as the backbone of modern applications, enabling diverse systems to communicate and share data seamlessly. This widespread API adoption, however, exposes organizations to a considerable attack surface, inviting the attention of cyber...

2023 OWASP Top-10 Series: Wrap Up

Over the past several months, we've taken a journey through the new 2023 OWASP API Security Top-10 list. In the previous 12 weekly posts, we've delved into each category, discussed what it is, how it's exploited, why it matters, and suggested effective protections for each. Now, as we conclude th...

PT-2023-28354 · Wazuh · Wazuh

Name of the Vulnerable Software and Affected Versions: Wazuh versions 4.4.0 through 4.4.1 Description: The issue allows a logged-in user to the dashboard to obtain the Wazuh API administrator key, potentially gaining administrator access to the API, regardless of their dashboard role...

2023 OWASP Top-10 Series: Spotlight on Injection

Welcome to the 12th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it. To see previous posts you might...

2023 OWASP Top-10 Series: API10:2023 Unsafe Consumption of APIs

Welcome to the 11th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API10:2023 Unsafe Consumption of APIs. In this series we are taking an in-depth look at each category – the details, the impact...

PT-2023-27327 · Google · Google Api

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar lite plugin for WordPress versions up to, but not including, 7.1.0 Description: The issue is related to Stored Cross-Site Scripting via Google API key and Calendar ID due to insufficient input sanitization and output...

Unlocking Seamless API Security: Revenera’s Journey with Wallarm

In today's digital landscape, ensuring the security of web applications and APIs is paramount. The journey to find the right security solution can be filled with challenges and choices. In this blog post, we'll dive into the experience of Rob Davies, VP of Engineering and Lead Architect at...

Mastering API Security: Learn the 3 Key Principles at Kong API Summit 2023

In an era where APIs Application Programming Interfaces are the lifeblood of digital interactions, the need for robust API security has never been more critical. According to Gartner research, a staggering 90% of web-enabled applications are predicted to harbor vulnerabilities related to APIs. To...

2023 OWASP Top-10 Series: API9:2023 Improper Inventory Management

Welcome to the 10th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API9:2023 Improper Inventory Management. In this series we are taking an in-depth look at each category – the details, the impac...

Introducing Easy API Security Deployment

...

Elevate Your Cybersecurity with Imperva Cloud WAF: More Than Just a Checkbox

In the world of digital modernization, having a web application firewall WAF isnt an option - its a necessity. But in the endless sea of security solutions, how do you choose the right one? How do you ensure that youre not merely checking a box, but genuinely fortifying your digital fortress? Whi...