Akamai Platform Update: New Security Enhancements That Intelligently Automate Application and API Security, Mitigate Online Fraud, and Reduce Burden on Security Professionals

Today is Day 2 of Akamai's Platform Update. Yesterday, we talked about the acceleration of modern app development and how we're empowering users to shift more compute and data to the edge. From the core to the cloud to the edge, the applications and APIs that power modern web experiences must als...

Akamai Platform Update: New Security Enhancements That Intelligently Automate Application and API Security, Mitigate Online Fraud, and Reduce Burden on Security Professionals

Today is Day 2 of Akamai's Platform Update. Yesterday, we talked about the acceleration of modern app development and how we're empowering users to shift more compute and data to the edge...

HealthForYou 1.11.1 / HealthCoach 2.9.2 Account Takeover Vulnerability

HealthForYou version 1.11.1 and HealthCoach version 2.9.2 have a vulnerability that allows for account takeover with only prior knowledge of the user's email address needed. Account takeover with only email address possible Overview Advisory ID: TRSA-2104-02 Advisory version: 1.0 Advisory status:...

Gaining Insights Is Fundamental for API Security

As enterprises continue their digital transformation journey in this Post-COVID era, applications are the engine that drives their business growth. Whether it’s a digital-first enterprise or one that is accelerating its digital transformation initiatives, APIs are not only opening up systems so...

Echelon PII Leak and Disclosure Fail

Echelon Echelon Fitness is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton...

Kiterunner - Contextual Content Discovery Tool

For the longest of times, content discovery has been focused on finding files and folders. While this approach is effective for legacy web servers that host static files or respond with 3xx’s upon a partial path, it is no longer effective for modern web applications, specifically APIs. Over time,...

What does Zero Trust mean for API security?

The old mentality of building a moat around important assets and trusting anyone or anything that is already inside the castle perimeter has failed us. Attackers have developed many techniques to jump the moat and scale the castle walls to get at what they want. Thus, the new rallying cry is to...

Cisco SD-WAN vManage Cross-Site Scripting Vulnerability (CNVD-2021-37690)

Cisco SD-WAN vManage is a software from Cisco that provides software-defined networking capabilities. The software provides a way to virtualize the network. A cross-site scripting vulnerability exists in the API of Cisco SD-WAN vManage versions prior to 20.5.1, which stems from the API failing to...

Logitech: Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]

Hi Security team, Summary: I was able as Administrator to change the account owner access token Description: As Administrator i have high privileges but i have some restricted areas F1278364 For example i got invitation from MrX with Administrator role. When i navigated to MrX account as...

Wallarm API Discovery: Discover API endpoints automatically and secure them

What do you know about your APIs? Why are the vulnerable v2 and v3 still exposed if they are deprecated for almost a year? What else is exposed and you don’t even know? Are Swagger specs up to date? Teaser: Surely not. A lot of questions, right? Meet Wallarm’s latest feature for API Discovery and...

Generated Code Contains Local Information Disclosure Vulnerability

Impact This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When...

CVE-2021-21331

The CVE affects the Java Datadog API client prior to version 1.0.0-beta.9. The issue is a local information disclosure caused by a temporary file created with insecure permissions (-rw-r--r--) in the prepareDownloadFilecreates pathway, with downloaded content via downloadFileFromResponse exposed ...

Mattermost: [mattermost.com] CORS Misconfiguration leakage of admin users

Sumarry : CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access. It's possible to get information about the users registered such as: id,...

Building a Holistic VRM Strategy That Includes the Web Application Layer

Building security into your overall vulnerability risk management VRM strategy is a must-do in the age of the all-important web app. Between security and IT-Ops teams, there are a number of steps in the VRM process, including asset identification, enumeration, prioritization, and remediation. How...

CVE-2021-26593

CVE-2021-26593 affects Directus 8.x–8.8.1, where the API endpoint /users/{id} can disclose extensive user data (email, first name, last name) and the 2FA secret, which can be regenerated. Root cause: exposure via an unauthorized or overly permissive user lookup that returns sensitive fields. Impa...

CVE-2021-26593

In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/id. For each call, they get in response a lot of information about the user such as email address, first name, and last name but also the secret for 2FA if one exists. This secret can be regenerated. NOTE...

Questions to Ask Your Application Security Provider

There is a great deal to consider when evaluating application security providers. Understanding your goals will help. If your goal is vendor consolidation, then selecting those that offer multiple security capabilities over single products may make more sense. And if your goal is out-of-the-box...

CVE-2021-21303

CVE-2021-21303 affects Helm (Kubernetes package manager) prior to 3.5.2, where multiple fields in repository/index data and chart/plugin YAML could be unsanitized. The root cause is insufficient sanitization of data loaded from untrusted sources (index.yaml fields, Chart.yaml, plugin.yaml), allow...

API Security Checks in the Post-Pandemic World

The digital transformation journeys of many enterprises have been accelerated by the COVID-19 pandemic. For 2020, IT resources shifted to support WFH policies with mobile and remote productivity solutions, while simultaneously managing multiple datacenter migration projects to the cloud for scale...

CVE-2021-22847

Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege...