Lucene search
K

1895 matches found

Hacker One
Hacker One
added 2019/12/31 7:33 a.m.43 views

Rocket.Chat: API Keys Hardcoded in Github repository

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...

7AI score
Exploits0
NVD
NVD
added 2019/12/27 2:15 p.m.13 views

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

6.1CVSS6.2AI score0.01163EPSS
Exploits2References1
Cvelist
Cvelist
added 2019/12/27 1:56 p.m.16 views

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

6.2AI score0.01163EPSS
Exploits2References1
Kitploit
Kitploit
added 2019/12/24 11:30 a.m.279 views

AttackSurfaceMapper - A Tool That Aims To Automate The Reconnaissance Process

Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It...

7AI score
Exploits0References2
NVD
NVD
added 2019/12/10 3:15 p.m.20 views

CVE-2019-19251

The Last.fm desktop app Last.fm Scrobbler through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts...

5.3CVSS5.3AI score0.00654EPSS
Exploits0References1
Cvelist
Cvelist
added 2019/12/10 2:26 p.m.22 views

CVE-2019-19251

The Last.fm desktop app Last.fm Scrobbler through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts...

5.3AI score0.00654EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2019/12/07 5:9 p.m.133 views

Exploit for Path Traversal in Ivanti Connect_Secure

pulsexploit Automated script for Pulse Secure SSL VPN exploit...

10CVSS9.4AI score0.99999EPSS
Exploits22
Hacker One
Hacker One
added 2019/12/06 5:43 a.m.17 views

Nord Security: Connection informaton is sent to a third-party service

Application event data exposed through the reuse of API key The researcher reported that iOS app usage event information sent to the third party service can be intercepted through the reuse of API key. In order to resolve the issue we have disabled GET requests for API keys, removed the third par...

6.6AI score
Exploits0
NVD
NVD
added 2019/11/21 11:15 p.m.25 views

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

9.8CVSS9.6AI score0.01352EPSS
Exploits0References2
OSV
OSV
added 2019/11/21 11:15 p.m.17 views

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

9.8CVSS7.1AI score
Exploits0References2
Prion
Prion
added 2019/11/21 11:15 p.m.18 views

Authentication flaw

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

7.5CVSS9.5AI score0.01352EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2019/11/21 10:45 p.m.29 views

CVE-2019-18933

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication e.g., GitHub or Google SSO in an organization that also allows password authentication could have their personal API key stolen by an...

9.6AI score0.01352EPSS
Exploits0References2
CVE
CVE
added 2019/11/21 10:45 p.m.90 views

CVE-2019-18933

CVE-2019-18933 affects Zulip Server versions 1.7.0 through

9.8CVSS9.5AI score0.01352EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2019/10/30 2:15 p.m.21 views

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

5.3CVSS6.6AI score
Exploits0References3
UbuntuCve
UbuntuCve
added 2019/10/30 2:15 p.m.38 views

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

5.3CVSS6AI score0.02429EPSS
Exploits0References2
Prion
Prion
added 2019/10/30 2:15 p.m.18 views

Design/Logic Flaw

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

5CVSS5.4AI score0.02429EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2019/10/30 1:37 p.m.41 views

CVE-2019-7619

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

5.1AI score0.02429EPSS
Exploits0References3
CVE
CVE
added 2019/10/30 1:37 p.m.112 views

CVE-2019-7619

CVE-2019-7619 affects Elasticsearch versions 7.0.0–7.3.2 and 6.7.0–6.8.3, where an unauthenticated attacker could use the API Key service to determine if a username exists in the native realm due to a username-disclosure flaw. The connected documents corroborate a username disclosure vulnerabilit...

5.3CVSS5.3AI score0.02429EPSS
Exploits0References3Affected Software1
Hacker One
Hacker One
added 2019/10/28 3:41 p.m.46 views

Ping Identity: Google Maps API key leaked during device pairing

Summary: just on intercepting and going through the request i made from ort-admin.pingone.com . i found that the google map api key was leaking through get request . i was able to validate that the leaked key was a valid one Steps To Reproduce: 1.login to account goto setup tab ping iD device...

Exploits0
Veracode
Veracode
added 2019/10/24 4:37 a.m.532 views

Information Disclosure

A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm...

5.3CVSS2.6AI score0.02429EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder