22 matches found
EUVD-2026-23807
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...
CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...
CVE-2024-51558 Brute Force Attack Vulnerability in Wave 2.0
This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN or password, which could lead to gain...
CVE-2024-47656 User Enumeration vulnerability
This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user...
CVE-2024-47088 User Enumeration vulnerability
This vulnerability exists in Apex Softcell LD Geo due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on login OTP, which could lead to gain unauthorized access to...
CVE-2021-22530 Improper account management vulnerability in NetIQ Advance Authentication
A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authenticati...
CVE-2021-22530 Improper account management vulnerability in NetIQ Advance Authentication
A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authenticati...
CVE-2024-42062 Apache CloudStack: User Key Exposure to Domain Admins
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that...
Introducing CyberSecurity Asset Management 3.0 with Expanded Discovery and Cyber Risk Assessment
Qualys is re-defining attack surface management with CyberSecurity Asset Management CSAM 3.0, expanding the most comprehensive attack surface coverage on the market to include patent-pending EASM discovery and scan, passive sensing for unmanaged/untrusted devices built in to the Qualys agent, and...
Announcing General Availability of Qualys TotalCloud
Qualys TotalCloud is a CNAPP solution based on Qualys Cloud Platform that provides multi-cloud vulnerability detection and misconfiguration response, and today we are pleased to announce that TotalCloud is now generally available. TotalCloud Home Page Unified View of Multi-Cloud Risk Posture...
The Account Takeover Cat-and-Mouse Game
In an analysis of more than 21 billion application transactions analyzed by the Cequence Security Threat Research Team between June and December of last year, API-based account login and registration transactions increased by 92 percent to more than 850 million. Highlighting the fact that attacke...
Elastic: [Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`
Dear Team, I have found a stored XSS when create a document via API-based engine. The XSS payload stored in url field. To understand about document schema for API-based engine, please go to https://swiftype.com/documentation/site-search/guides/schema-designapi-based After indexed a document with...
Manufacturing's Cloud Migration Opens Door to Major Cyber-Risk
Web-facing applications continue to be one of the highest security risks present for organizations, with more than 40 percent of them actively leaking data in a way that can have a ripple affect across businesses and their partners, research has found. Moreover, manufacturing is particularly...
ScoutSuite - Multi-Cloud Security Auditing Tool
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of...
Implementing Bug Bounty Programs: The Right and Wrong Approaches
While bug-bounty programs may seem like a cure-all solution for companies looking discover vulnerabilities in their systems more efficiently, the fact remains that a program could overwhelm a firm’s internal security team and cause other major headaches if implemented the wrong way. “You have to...
PHP Scripts Mall API Based Travel Booking Cross Site Scripting Vulnerability
PHP Scripts Mall API Based Travel Booking is an online travel booking system script by PHP Scripts Mall India. A cross-site scripting vulnerability exists in PHP Scripts Mall API Based Travel Booking version 3.4.7, which can be exploited by an attacker to execute client-side code...
CVE-2019-7554
An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter...
Part 2: The Dark Side of APIs
Ryan Barnett, Principal Security Researcher, Akamai Elad Shuster, Senior Security Researcher, Akamai During its research into Credential Abuse attack campaigns, Akamai's threat research team conducted an analysis of web logins to gain insights into how widespread the adoption of API-based logins ...
AVPASS - Tool For Leaking And Bypassing Android Malware Detection System
AVPASS is a tool for leaking the detection model of Android malware detection systems i.e., antivirus software, and bypassing their detection logics by using the leaked information coupled with APK obfuscation techniques. AVPASS is not limited to detection features used by detection systems, and...
SimplyEmail - Email Recon Made Fast And Easy, With A Framework To Build On
What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt wa...