Lucene search
K

1894 matches found

Huntr
Huntr
added 2023/09/03 7:23 p.m.30 views

SQL injection and Authentication bypass

Description The validApiKey middleware, which is responsible for verifying API keys provided in the request's Authorization header, is susceptible to SQL injection. This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints. NOTE: It's worth...

5CVSS9AI score0.00585EPSS
Exploits1
NVD
NVD
added 2023/08/30 3:15 p.m.24 views

CVE-2023-4209

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

4.3CVSS4.7AI score0.00218EPSS
Exploits2References1
OSV
OSV
added 2023/08/30 3:15 p.m.5 views

CVE-2023-4209

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

4.3CVSS7.3AI score
Exploits0References1
Prion
Prion
added 2023/08/30 3:15 p.m.13 views

Cross site request forgery (csrf)

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

4.3CVSS4.9AI score0.00218EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2023/08/30 2:22 p.m.25 views

CVE-2023-4209 POEditor < 0.9.8 - Settings Reset via CSRF

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

5AI score0.00218EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2023/08/30 12:0 a.m.4 views

PT-2023-33035 · Unknown · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to the latest version Description: The issue concerns Apollo Server logging sensitive information, specifically Studio API keys, under certain conditions. This occurs when API keys are passed with leading or...

7.1AI score
Exploits0References5
GitLab Advisory Database
GitLab Advisory Database
added 2023/08/30 12:0 a.m.27 views

Prevent logging invalid header values

Impact What kind of vulnerability is it? Apollo Server can log sensitive information Studio API keys if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Who is impacted? Users who all of the below: use either t...

6.7AI score
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2023/08/30 12:0 a.m.5 views

PT-2023-28262 · WordPress · Poeditor

Name of the Vulnerable Software and Affected Versions: POEditor WordPress plugin versions prior to 0.9.8 Description: The issue is related to the lack of CSRF checks in various places within the plugin, allowing attackers to perform unwanted actions on logged-in admins, such as resetting the...

4.3CVSS5.4AI score0.00218EPSS
Exploits2References5
Kitploit
Kitploit
added 2023/08/25 12:30 p.m.48 views

Poastal - The Email OSINT Tool

Poastal is an email OSINT tool that provides valuable information on any email address. With Poastal, you can easily input an email address and it will quickly answer several questions, providing you with crucial information. Features Determine the name of the person who has the email. Check if t...

6.9AI score
Exploits0References1
Veracode
Veracode
added 2023/08/22 4:11 a.m.22 views

Cross-Site Request Forgery (CSRF)

wallabag/wallabag is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability exists in the deleteClientAction function of DeveloperController.php as it does not properly validate the CSRF token, which allows an attacker to arbitrarily delete the API key by sending a GET request to the...

6.5CVSS6.8AI score0.00276EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2023/08/21 8:28 p.m.35 views

Wallabag user can delete own API client unintentionally

Description wallabag was discovered to contain a Cross-Site Request Forgery CSRF which allows attackers to arbitrarily delete API key via /developer/client/delete/id This vulnerability has a CVSSv3.1 score of 6.5. You should immediately patch your instance to version 2.6.3 or higher if you have...

6.5CVSS6.6AI score0.00276EPSS
Exploits1References4Affected Software1
Kitploit
Kitploit
added 2023/08/20 12:30 p.m.41 views

HEDnsExtractor - Raw Html Extractor From Hurricane Electric Portal

HEDnsExtractor Raw html extractor from Hurricane Electric portal Features Automatically identify IPAddr ou Networks through command line parameter or stdin Extract networks based on IPAddr. Extract domains from networks. Installation go install -v...

7.4AI score
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/08/14 12:0 a.m.13 views

Robo Gallery < 3.2.16 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to:...

4.8CVSS4.7AI score0.00402EPSS
Exploits2Affected Software1
MongoDB
MongoDB
added 2023/08/08 10:30 a.m.82 views

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS6.9AI score0.00614EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2023/08/08 9:15 a.m.14 views

CVE-2023-4009

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS7AI score0.00614EPSS
Exploits0References3
Prion
Prion
added 2023/08/08 9:15 a.m.35 views

Privilege escalation

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

5.8CVSS6.9AI score0.00614EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2023/08/08 8:37 a.m.11 views

CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS6.8AI score0.00614EPSS
Exploits0References3
Cvelist
Cvelist
added 2023/08/08 8:37 a.m.18 views

CVE-2023-4009 Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation...

7.2CVSS7.2AI score0.00614EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/08/08 12:0 a.m.5 views

MongoDB Ops Manager Security Vulnerability

MongoDB Ops Manager is a solution from MongoDB, Inc. that supports the management, monitoring, and backup of MongoDB deployments. A security vulnerability exists in MongoDB Ops Manager versions prior to 5.0.22, 6.0.17, and 6.0.17, which originates from a user with Project Owner or Project User...

7.2CVSS6.9AI score0.00614EPSS
Exploits0References4
WPVulnDB
WPVulnDB
added 2023/08/07 12:0 a.m.9 views

POEditor < 0.9.8 - Settings Reset via CSRF

Description The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. PoC...

4.3CVSS7AI score0.00218EPSS
Exploits2References1Affected Software1
Rows per page
Query Builder