1893 matches found
CVE-2023-0443 AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked...
This Week in Spring - May 30th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! This installment I write on the day of my daughter's High School graduation, an auspicious day indeed! There's a lot to get through this week, though, and I have a graduation to get to, so let's dive right in! Spring...
GetSimple CMS 3.3.16 Shell Upload
Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution RCE Data: 18/5/2023 Exploit Author : Youssef Muhammad Vendor: Get-simple Software Link: Version app: 3.3.16 Tested on: linux CVE: CVE-2022-41544 import sys import hashlib import re import requests from xml.etree import ElementTree from...
KoodousFinder - A Simple Tool To Allows Users To Search For And Analyze Android Apps For Potential Security Threats And Vulnerabilities
A simple tool to allows users to search for and analyze android apps for potential security threats and vulnerabilities Account and API Key Create a Koodous account and get your api key https://koodous.com/settings/developers Install $ pip install koodousfinder Arguments Param | description ---|-...
Security Bulletin: IBM Cloud Pak for Security (CP4S) could allow an attacker with a valid API key for one tenant to access data from another tenant's account. (CVE-2023-30993)
Summary IBM Cloud Pak for Security CP4S could allow an attacker with a valid API key for one tenant to access data from another tenant's account. This has been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section...
API Token Disclosure
planet is vulnerable to API Token Disclosure. The vulnerability is due to insecure file permissions set on the secrets file containing the API key. Any user in the system is able to view the secret file, which stores the user's Planet API login token...
CVE-2023-2632
Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
PT-2023-20615 · Jenkins · Credentials Plugin +2
Name of the Vulnerable Software and Affected Versions: Jenkins Code Dx Plugin versions 3.1.0 and earlier Description: The issue concerns the storage and display of Code Dx server API keys. In affected versions, these keys are stored unencrypted in job config.xml files on the Jenkins controller an...
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages
A new phishing-as-a-service PhaaS or PaaS platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks. "Greatness, for now, is only focused on Microsof...
AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
The plugin discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked. See the disclosed secret key in includes/pro.php...
CVE-2023-22429
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials API key for an external service, which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary...
Hardcoded credentials
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials API key for an external service, which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary...
CVE-2023-22429
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials API key for an external service, which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary...
CVE-2023-22429
The CVE affects the Android app Wolt Delivery: Food and more (versions 4.27.2 and earlier). Root cause: hard-coded API key for an external service embedded in the application binary, enabling a local attacker to extract it via reverse-engineering. Impact, as stated, is high for confidentiality/in...
CVE-2023-22429
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials API key for an external service, which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary...
BTCPay Server 1.7.4 HTML Injection
Exploit Title: BTCPay Server v1.7.4 - HTML Injection Date: 01/26/2023 Exploit Author: Manojkumar J TheWhiteEvil Vendor Homepage: https://github.com/btcpayserver/btcpayserver Software Link: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 Version: clickhere 3. Click remove/delete A...
BTCPay Server v1.7.4 - HTML Injection Vulnerability
Exploit Title: BTCPay Server v1.7.4 - HTML Injection Exploit Author: Manojkumar J TheWhiteEvil Vendor Homepage: https://github.com/btcpayserver/btcpayserver Software Link: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 Version: clickhere 3. Click remove/delete API key, the html...
BTCPay Server v1.7.4 - HTML Injection
Exploit Title: BTCPay Server v1.7.4 - HTML Injection Date: 01/26/2023 Exploit Author: Manojkumar J TheWhiteEvil Vendor Homepage: https://github.com/btcpayserver/btcpayserver Software Link: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 Version: clickhere 3. Click remove/delete A...
Apiman vulnerable to permissions bypass due to missing check on API key URL
Impact Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted...
CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key
Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...