api.shopsuite.com Cross Site Scripting vulnerability OBB-3293092

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

GHSA-R97Q-GHCH-82J9 Ghost vulnerable to information disclosure of private API fields

Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. GhostPro has already been patched. We can find no evidence that the issue was exploited on GhostPro prior to the patch being added. Self-hosters are...

Metlo - An Open-Source API Security Platform

Secure Your API. Metlo is an open-source API security platform With Metlo you can: Create an Inventory of all your APIEndpoints and Sensitive Data. Detect common API vulnerabilities. Proactively test your APIs before they go into production. Detect API attacks in real time. Metlo does this by...

Imperva Continues to Innovate With New Features for Online Fraud Prevention

Last year, Imperva embarked on a mission to help organizations combat the growing threat of digital fraud. We introduced a new solution and a range of innovative features to help detect and prevent online fraud at its earliest stages. Imperva Online Fraud Prevention stops fraud ranging from...

Code injection

A valid, authenticated XCC user with read only access may gain elevated privileges through a specifically crafted API call...

Format string

A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API...

PT-2023-20732 · Mariadb +3 · Mariadb +3

Name of the Vulnerable Software and Affected Versions: Sangoma FreePBX versions 1805 through 2302 Description: The issue exposes cleartext authentication credentials for the Asterisk Database MariaDB/MySQL and Asterisk Manager Interface by placing AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS ...

Imperva Unveils Latest API Security Enhancements

Imperva is continuing to evolve its API Security offering to help customers better protect their APIs, wherever they are, and to meet changing market requirements. Since launching API Security in March 2022, we continued investing in our API Security offering with the goal of simplifying the...

PT-2023-22474 · H3C · H3C Magic R200

Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the go parameter at the "/goform/aspForm" API endpoint. This issue affects the H3C Magic R200 device. Recommendations: For H3C Magic R200 version...

Imperva and Kong Partner to Bring API Security to the Gateway for Enhanced API Management

Imperva is delighted to announce a new partnership with Kong Inc, provider of the leading cloud-native API platform, to offer best-in-class API Security to users of the Kong platform. Through the new partnership, Kong Enterprise customers can protect their business applications and data by...

Slipping Through the Security Gaps: The Rise of Application and API Attacks

...

Connect with Wallarm at RSA 2023

We’re looking forward to seeing you at this year’s RSA Conference! Don’t forget to set up a meeting with our executives, as they would love to hear more about your team’s application security needs and chat with you about how Wallarm can help. Visit Us at Booth 6585 in the North Expo Hall Wallarm...

Changes in OWASP API Security Top-10 2023RC | API Security Newsletter

Welcome to our March API newsletter, recapping some of the events of last month. And what a month it was. Among other buzzworthy news, OWASP published the initial Release Candidate for the 2023 API Security Top-10 list – we analyzed the ins & outs and presented them over the course of a couple of...

GHSA-58G2-VGPG-335Q request-baskets vulnerable to Server-Side Request Forgery

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery SSRF via the component /api/baskets/name. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request...

CVE-2023-1777 Information disclosure in linked message previews

Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message...

CVE-2023-27162

CVE-2023-27162 affects openapi-generator up to v6.4.0. Affected component: SSRF via /api/gen/clients/{language}, enabling an attacker to access network resources and sensitive information. CVSS v3.1 base score 9.1 (CRITICAL); attack vector network, low complexity, no privileges, no user interacti...

CVE-2023-27163

CVE-2023-27163 affects Request-Baskets versions up to 1.2.1. The issue is a Server-Side Request Forgery (SSRF) via the /api/baskets/{name} endpoint, where the forward_url parameter can direct requests to internal or restricted resources. Ambitious attackers can leverage this to access internal ne...

Smart Mobility has a Blindspot When it Comes to API Security

The emergence of smart mobility services and applications has led to a sharp increase in the use of APIs in the automotive industry. However, this increased reliance on APIs has also made them one of the most common attack vectors. According to Gartner, APIs account for 90% of the web application...

Code injection

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directusrefreshtoken is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3...

Insights into the New OWASP API Security Top-10 for CISOs

ICYMI, we recently presented A CISOs Guide to the New 2023 OWASP API Security Update. In this first of two planned webinars, Stepan Ilyin and Tim Ebbers provided an overview of what’s in and what’s out in the planned update and had a lively discussion about how this impacts your API security plan...