735 matches found
Shopify: Bypass access restrictions from API
This issue allowed users with limited access to login into a Shopify Mobile application, capture their own access token, and perform queries against Shopify's API in order to create new users with full access, or delete other users. An additional issue was reported, where users with no access cou...
[SECURITY] Fedora 20 Update: php-ZendFramework-1.12.9-1.fc20
Extending the art & spirit of PHP, Zend Framework is based on simplicity, object-oriented best practices, corporate friendly licensing, and a rigorou sly tested agile code base. Zend Framework is focused on building more secure, reliable, and modern Web 2.0 applications & web services, and...
SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass
The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...
Moderate: Red Hat Security Advisory: Red Hat Enterprise Virtualization Manager 3.4.0 update
Red Hat Enterprise Virtualization Manager 3.4 is now available. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each vulnerability from the CV...
Fedora 20 : mediawiki-1.21.6-1.fc20 (2014-3338)
bug 60771 SECURITY: Disallow uploading SVG files using non-whitelisted namespaces. Also disallow iframe elements. User will get an error including the namespace name if they use a non-whitelisted namespace. - bug 61346 SECURITY: Make token comparison use constant time. It seems like our token...
Cross site scripting
Cross-site scripting XSS vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in t...
CVE-2014-2244
Cross-site scripting XSS vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in t...
Facebook Fixes CSRF Vulnerability in Instagram
Until last week, some parts of the API that Instagram uses were vulnerable to a cross-site request forgery CSRF attack, something that could have put photos users thought were private, out in the open. It took almost six months but Facebook, the photo sharing application’s parent company, patched...
CVE-2013-4182
CVE-2013-4182 affects Foreman prior to 1.2.2, specifically the API at /api/v1/hosts handled by hosts_controller.rb, where access checks were insufficient. This allowed remote attackers to access arbitrary hosts via the API request. The publicly documented remediation is to upgrade to Foreman 1.2....
shopEx 4.8.5 /api_b2b_2_0_payment_cfg.php SQL 注入
缺陷文件: \core\api\payment\2.0\apib2b20paymentcfg.php core\api\payment\1.0\apib2b20paymentcfg.php 第44行 $data'columns' 未做过滤导致注入 code?php settimelimit0; obflush; echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns= from sdbpaymentcfg WHERE 1 and select 1 fromselect count,concatselect select SELE...
CVE-2013-2546
The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAPNETADMIN capability...
Design/Logic Flaw
The report API in the crypto user configuration API in the Linux kernel through 3.8.2 uses an incorrect C library function for copying strings, which allows local users to obtain sensitive information from kernel stack memory by leveraging the CAPNETADMIN capability...
CVE-2012-2654
CVE-2012-2654 affects OpenStack Compute (Nova) EC2 and OS APIs in Folsom, Essex, and Diablo releases. The vulnerability arises from improper protocol validation when creating security groups if the network protocol isn’t specified in lowercase, allowing remote attackers to bypass access restricti...
CVE-2011-0466
The CVE-2011-0466 affects SUSE openSUSE Build Service (OBS) versions 2.0.x before 2.0.8 and 2.1.x before 2.1.6. The issue allows attackers to bypass write-access restrictions and modify a (1) package or (2) project via unspecified vectors. Remediation per connected sources is to upgrade to the fi...
The Danger of Open APIs
Ninety years ago KitchenAid released their first countertop mixer, which weighed in at about 69 pounds. More interestingly, the mixer also had a special socket that allowed users to attach assorted add-ons for new functionality such as slicers, shredders and meat grinders. Today this sort of...