What the NIS2 Directive Means for Your Business and Your APIs

Learn how implementing a comprehensive cybersecurity program that addresses all aspects of API security can ensure compliance with the NIS2 Directive...

PT-2023-21046 · Sap · Sap Netweaver As Java

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS Java Object Analyzing Service version 7.50 Description: The issue allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service. This enables them to...

2022 Year-End API ThreatStats™ Report

In 2022, the Wallarm Threat Research team went through almost 350,000 reports to find 650 API-specific vulnerabilities, and tracked 115 published exploits impacting these vulnerabilities – all of which could negatively impact your business risk posture. The 2022 Year-End API ThreatStats™ Report...

Application Security vs. API Security: What is the difference?

As digital transformation takes hold and businesses become increasingly reliant on digital services, it has become more important than ever to secure applications and APIs Application Programming Interfaces. With that said, application security and API security are two critical components of a...

CVE-2022-30299

A path traversal vulnerability CWE-23 in the API of FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions may allow an authenticated attacker to retrieve specific parts of files from the underlying file system via specially...

CVE-2022-38867

SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, 4.0.2, and 4.4.x in api.go, allows attackers to execute arbitrary code...

Octopus Strike! Three Argo CD API Exploits In Two Weeks

Argo CD is a popular Continuous Deployment tool that enables DevOps teams to manage their applications across multiple environments. However, in the past two weeks, three critical vulnerabilities have been detected in the tool, exposing sensitive information and compromising the security of the...

Yet More ImageMagick Vulnerabilities

ImageMagick is a popular open-source image manipulation library used by many websites and software applications to process and display images. A couple of vulnerabilities have recently been discovered in ImageMagick by MetabaseQ. Two vulnerabilities CVE-2022-44267 and CVE-2022-44268 allow attacke...

Don’t Let API Leaks Sink Your Ship | API Security Newsletter

Leaks of API keys and other secrets. The industry has been abuzz with news about attacks – and the ongoing ripple effect – involving leaked API keys, credentials and other secrets. This adds another dimension to your API attack surface, which in turn complicates your defenses and adds to your...

Learn from the T-Mobile API Breach to Improve Your API Security Program in 2023

A CISO’s job has never been more challenging. Engineering teams move fast, especially as organizations are accelerating their digital transformation efforts. The tech stack is exploding and varies greatly across the organization. And there is a surge of internal, external, and partner APIs. It’s...

Wallarm Releases New End-to-End Solution to Reduce Risk and Time-to-Remediate Leaked API Keys and Secrets

Advancement to API Security Technology Will Combat Recent Surge in Hacks Leveraging Leaked API; Early Release Now Available San Francisco, CA –BUSINESS WIRE– January 19, 2023 – Wallarm, the end-to-end API security company, today announced the early release of the Wallarm API Leak Management...

api.mycongressonline.net Cross Site Scripting vulnerability OBB-3160044

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Wallarm adds Cybersecurity Leaders to its Board of Advisors

New Advisory Board Members Bring Extensive Experience to Assist Organizations Needing to Enhance and Accelerate their API Security Posture January 12, 2023 02:30 PM Eastern Standard Time SAN FRANCISCO -BUSINESS WIRE- Wallarm, the end-to-end API security company, is pleased to introduce the newest...

api.broadcastify.com Cross Site Scripting vulnerability OBB-3123633

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

api.dottnet.it Cross Site Scripting vulnerability OBB-3119753

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2022-44013

CVE-2022-44013 affects Simmeth Lieferantenmanager before 5.6. The issue is an authentication bypass where a password in a Credential Object is not checked, allowing unauthenticated API calls. Public sources in connected documents confirm affected software (Simmeth Lieferantenmanager) and the root...

CVE-2022-46492

CVE-2022-46492 affects nbnbk (a ThinkPHP-based CMS/e-commerce platform). The vulnerability arises from an arbitrary file read via the API endpoint /api/Index/getFileBinary, associated with commit 879858451d53261d10f77d4709aee2d01c72c301. Documents consistently describe an arbitrary file read, but...

Reset API any user via IDOR

Description Reset API any user without taking action from him via IDOR Proof of Concept 1- Create a user 2- Go to setting 3- Open Burp Suite to object to the requisition 4- Click on it Reset API 5- This is the body request "id":101,"resetOpenId":true 6- When changing the "id", for example "102",...

Design/Logic Flaw

An access issue existed with privileged API calls. This issue was addressed with additional restrictions. This issue is fixed in iOS 16.2 and iPadOS 16.2, tvOS 16.2, watchOS 9.2. A user may be able to elevate privileges...

LinkedIn: Entire database of emails exposed through URN injection

The entire database of LinkedIn emails was exposed due to a vulnerability in the decoration feature of the Voyager API. An attacker could assign an URN value to a text field inside a profile and trigger a URN resolution to retrieve the email. The query engine did not check whether a field should ...