1894 matches found
SQL injection and Authentication bypass
Description The validApiKey middleware, which is responsible for verifying API keys provided in the request's Authorization header, is susceptible to SQL injection. This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints. NOTE: It's worth...
CVE-2023-4209
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...
CVE-2023-4209
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...
Cross site request forgery (csrf)
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...
CVE-2023-4209 POEditor < 0.9.8 - Settings Reset via CSRF
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...
PT-2023-33035 · Unknown · Apollo Server
Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to the latest version Description: The issue concerns Apollo Server logging sensitive information, specifically Studio API keys, under certain conditions. This occurs when API keys are passed with leading or...
Prevent logging invalid header values
Impact What kind of vulnerability is it? Apollo Server can log sensitive information Studio API keys if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Who is impacted? Users who all of the below: use either t...
PT-2023-28262 · WordPress · Poeditor
Name of the Vulnerable Software and Affected Versions: POEditor WordPress plugin versions prior to 0.9.8 Description: The issue is related to the lack of CSRF checks in various places within the plugin, allowing attackers to perform unwanted actions on logged-in admins, such as resetting the...
Poastal - The Email OSINT Tool
Poastal is an email OSINT tool that provides valuable information on any email address. With Poastal, you can easily input an email address and it will quickly answer several questions, providing you with crucial information. Features Determine the name of the person who has the email. Check if t...
Cross-Site Request Forgery (CSRF)
wallabag/wallabag is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the deleteClientAction function of DeveloperController.php as it does not properly validate the CSRF token, which allows an attacker to arbitrarily delete the API key by sending a GET request to the...
Wallabag user can delete own API client unintentionally
Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via /developer/client/delete/id This vulnerability has a CVSSv3.1 score of 6.5. You should immediately patch your instance to version 2.6.3 or higher if you have...
HEDnsExtractor - Raw Html Extractor From Hurricane Electric Portal
HEDnsExtractor Raw html extractor from Hurricane Electric portal Features Automatically identify IPAddr ou Networks through command line parameter or stdin Extract networks based on IPAddr. Extract domains from networks. Installation go install -v...
Robo Gallery < 3.2.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to:...
Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...
CVE-2023-4009
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...
Privilege escalation
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...
CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...
CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager
In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...
MongoDB Ops Manager Security Vulnerability
MongoDB Ops Manager is a solution from MongoDB, Inc. that supports the management, monitoring, and backup of MongoDB deployments. A security vulnerability exists in MongoDB Ops Manager versions prior to 5.0.22, 6.0.17, and 6.0.17, which originates from a user with Project Owner or Project User...
POEditor < 0.9.8 - Settings Reset via CSRF
Description The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. PoC...