DuckDuckGo: Partial bypass of #483774 with Blind XXE on https://duckduckgo.com

Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time on the 483774 report, I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll...

Fighting Fire with Fire: API Automation Risks

Akamai research shows that 83 percent of all traffic on the web today are API calls JSON / XML. In many cases this fast growth can be attributed to the adoption and popularity of mobile devices and the mobile app ecosystem, as well as the abuse by threat actors using bots to automate their manual...

api.kostprice.com XSS vulnerability

Open Bug Bounty ID: OBB-713364 Description| Value ---|--- Affected Website:| api.kostprice.com Open Bug Bounty Program:| View Open Bug Bounty Program Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden until disclosure...

api.paymentwall.com XSS vulnerability

Open Bug Bounty ID: OBB-713093 Description| Value ---|--- Affected Website:| api.paymentwall.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:|...

Welcome, Brooke Motta!

By Ivan Novikov I am excited to announce a great addition to our Go-To-Market team. Brooke Motta has joined Wallarm as Vice President of Sales. Brooke brings 15 years of Cyber Security Sales Experience to the team. She has experience selling up and down the organization from an individual securit...

api.jotform.com XSS vulnerability

Open Bug Bounty ID: OBB-712852 Description| Value ---|--- Affected Website:| api.jotform.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden...

Security Bulletin: Potential redirection to external site when using the the IBM Event Streams API (CVE-2018-1833)

Summary There is a potential for IBM Event Streams API calls involving a paginated response to be redirected to an external site after the first page has been retrieved when subsequent pages are requested. Vulnerability Details CVEID: CVE-2018-1833 DESCRIPTION: IBM Event Streams could allow a...

Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)

Exploit for multiple platform in category web applications Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-7691 CVE: CVE-2018-7691 CVSS: 6.5 Medium;...

Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)

Details ================ Software: Fortify SSC Software Security Center Version: 17.10, 17.20 & 18.10 Homepage: https://www.microfocus.com Advisory report: https://github.com/alt3kx/CVE-2018-7691 CVE: CVE-2018-7691 CVSS: 6.5 Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-639 Description...

CVE-2018-14623

CVE-2018-14623 describes a SQL injection flaw in Katello’s errata-related API. An authenticated remote attacker can craft input to force a malformed SQL query in the backend database, leaking internal IDs. The issue is tied to an incomplete fix for CVE-2016-3072. Affected are Katello versions 3.1...

api.freshworks.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-709202 Description| Value ---|--- Affected Website:| api.freshworks.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| hidden until...

“Fire Danger Rating” on “High” in Security Climate

November was a scary month in California. After four years of drought, the forests and towns in the northern part of the state exploded into wildfires, displacing thousands of residents and destroying millions of dollars of property. The foul air in San Francisco and the surrounding areas was a...

CVE-2018-5559

Affected software: Rapid7 Komand prior to 0.42.0. Vulnerability: information disclosure via endpoints that list always encrypted-at-rest connection data, potentially returning un-obscured sensitive data in the API response sent over an encrypted channel. Root cause (as stated): endpoints could ex...

USPS, Amazon Data Leaks Showcase API Weaknesses

The annual holiday buying bonanza has officially kicked off for 2018, and, as if on cue, a pair of security incidents at two of the most-used services this time of year – the U.S. Postal Service and Amazon – showed up to remind us of the dangers of shopping season. Both hinged on improper API use...

QSC18 Takeaway: Complex Environments Demand Visibility and Real-Time Security

If there were two important takeaways from this year's Qualys Security Conference year they would be how today’s complex hybrid environments are demanding security teams find ways to increase visibility into the state of their security posture and be able to quickly mitigate new risks as they...

api.humancalendar.com XSS vulnerability

Open Bug Bounty ID: OBB-700273 Description| Value ---|--- Affected Website:| api.humancalendar.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:|...

QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches

Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable...

Welcome to Qualys Security Conference 2018

The rise of cloud computing coupled with DevOps is forcing enterprises to rewrite their cybersecurity playbook, and part of that book will be written this week at Qualys Security Conference 2018 in Las Vegas. Today, the dual cloud and DevOps mega-trends are helping companies to digitally transfor...

WordPress 4.3.x < 4.3.11 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A DOM-based cross-site scripting XSS vulnerability exists in the uploadSizeError function within file wp-includes/js/plupload/handlers.js when handling overly large file...

api.256file.com XSS vulnerability

Open Bug Bounty ID: OBB-693207 Description| Value ---|--- Affected Website:| api.256file.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden...