CVE-2020-10591

Walmart Labs Concord before 1.44.0 has an insecure CORS policy where Access-Control-Allow-Origin depends on Origin and is not configurable. This can allow remote attackers to discover host information, nodes, API metadata, and references to usernames via api/v1/apikey. Affected product version(s)...

CVE-2018-16356

CVE-2018-16356 affects PbootCMS . The issue is a SQL injection in the API endpoint api.php/List/index via the order parameter , allowing injection through user-controllable input. The vulnerability is presented with an overall impact of high/critical (CVSS v3.1: 9.8, Network, Privileges None, Use...

OWASP API Top 10 Projects: Highlights and Overview

In addition to the same risks that web applications are exposed to, APIs are faced with a number of unique security risks and vulnerabilities. This blogs provides an overview of the new OWASP API Top 10 risk project. The post OWASP API Top 10 Projects: Highlights and Overview appeared first on...

Reputation Intelligence At Your Fingertips

How important is a reputation? American entertainer Will Rogers once famously said, “it takes a lifetime to build a good reputation, but you can lose it in a minute.” Our reputations are valuable commodities that establish rapport and clout among our colleagues, partners, and customers. A good...

Exposed API

centreon/centreon serves API without the need for authentication. Various web services were fully accessible using external.php which would allow an unauthenticated attacker to perform actions on the server...

Imperva Received Top Scores in Gartner’s “Critical Capabilities for Cloud Web Application Firewalls”

The web application landscape is constantly changing, and the tools needed for the best application security protection need to change with the landscape. With Imperva’s recent improvements in API Security, Bot Management, DDoS and Cloud WAF, it’s easy to see why we are among the highest-scored...

Ability to expose data in Sylius by using an unintended serialisation group

Impact ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's...

Automating API Security in the Cloud

These days, the most common way for services to communicate and transfer data is by using APIs. However, broken, exposed, or hacked APIs are the cause of some of the latest major data breaches, as they have the potential to expose sensitive data for public consumption. Securing your APIs is...

api.joondalup.wa.gov.au Improper Access Control vulnerability

Security Researcher devl00p Helped patch 2581 vulnerabilities Received 10 Coordinated Disclosure badges Received 15 recommendations , a holder of 10 badges for responsible and coordinated disclosure, found a security vulnerability affecting api.joondalup.wa.gov.au website and its users. Following...

WordPress 4.8.x < 4.8.12 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Two cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these, by convincing ...

Affirm: Absence of Token expiry leads to Unauthorized login Access

Summary While doing the testing for the mobile app, I observed out that it is possible to bypass the authentication and gain unauthorized access to the user's account bu brute-forcing the PIN due to lack of login token expiry. The way affirm mobile login works is that, User inputs the phone numbe...

HomeAutomation 3.3.2 Open Redirect

HomeAutomation v3.3.2 Open Redirect Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now...

GitLab: Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result

Summary When a public group with public projects is transferred to a private group, the code and the wiki of the public project, although now should be private, it is still reachable through search APIs. I set the severity as "medium" and not "high", because any new action over the project issues...

CVE-2019-19250

OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js...

CVE-2019-18608

CVE-2019-18608 affects Cezerin v0.33.0, where internal attributes can be overwritten during order processing, allowing a malicious user to modify an order (e.g., payment status or shipping fee) by injecting extra attributes in user input via PUT /ajax/cart during checkout. The issue stems from ge...

CVE-2019-10716

CVE-2019-10716 affects Verodin Director 3.5.3.1 and earlier. The vulnerability is an information-disclosure flaw where the REST API endpoint /integrations.json can reveal usernames and passwords of integrated security tools (e.g., Splunk, ArcSight, Palo Alto, AWS Cloud Trail) to authenticated use...

Wallarm connector to Apigee

If you are a business undergoing a digital transformation, like Walgreens, Nike or Bechtel, heavy reliance on APIs is a key part of that digital transformation strategy. “The growing demand for information, delivered securely at any time, in any place and on any device has changed the way we thin...

A Leader in the 2019 Gartner Magic Quadrant for WAF, Six Years Running

Gartner has published its 2019 Gartner Magic Quadrant for Web Application Firewalls WAF and Imperva has been named a Leader for the sixth consecutive year! Along with our WAF Gateways and easy-to-deploy Cloud WAF we recently added API Security, RASP, Account Takeover Protection, Bot Management, a...

APIs Ease Customer Interaction — and External Attacks. Here’s how to Protect Them.

To deliver seamless service experiences to our customers, businesses now rely heavily on application programming interfaces APIs. These are a non-negotiable aspect of the way we streamline the interactions and conversations we have with our customers, both internal and external. APIs are now so...

Remote code execution

A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from unsafe data input, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1257, CVE-2019-1296...