15 matches found
EUVD-2017-0336
Malware in sbrugna...
EUVD-2021-21292
Malware in sbrugna...
CVE-2024-5225
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...
CVE-2024-5225
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...
CVE-2024-5225 SQL Injection in berriai/litellm
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidat...
Chained Quiz < 1.3.2.3 - Admin+ Stored XSS
The plugin does not sanitise and escape its facebookappid and apikey settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
NotificationX < 2.3.12 - Unauthenticated SQLi
The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. The apikey is the md5 of the homeurl either with http or https protocol...
Improper Access Control in zulip/zulip
Description According to the current design of the application, when the user wants to get value of apikey, API /json/fetchapikey will require password to authentication. However, the application exists another API routed at /json/users/me/apikey/regenerate that allows regenerating apikey value a...
CVE-2021-34642 Smart Email Alerts <= 1.0.10 Reflected Cross-Site Scripting
The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the apikey in the /views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10...
CVE-2021-34642
The CVE-2021-34642 entry concerns the WordPress Smart Email Alerts plugin (versions up to 1.0.10) vulnerable to Reflected Cross-Site Scripting via the api_key in ~/views/settings.php. The underlying issue allows injection of arbitrary scripts, with network access and user interaction required (CV...
Dropbox: Leaking API_KEY of testrail of HelloSign gives read/write access
The APIKEY and testrail config details were leaked on Github, which attackers could use to access testrail accounts of HelloSign and perform read/write actions. Impact: Access to testrail account of HelloSign...
Magic: CSRF in generating developer api_key
Hi At https://dashboard.forttmatic.com when developer tries to generate new apikey for his application, a POST request is sent to https://api.forttmatic.com which doesn't have any tokens to guard against CSRF attacks. CSRF POC : history.pushState'', '', '/' On submitting the above request, a new...
RubyGems: 65534 times efficient, Brute-force attack for api_key
I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...
CVE-2013-7111
The putcall function in the API client api/apiclient.rb in the BaseSpace Ruby SDK aka bio-basespace-sdk gem 0.1.7 for Ruby uses the APIKEY on the command line, which allows remote attackers to obtain sensitive information by listing the processes...
Command injection
The putcall function in the API client api/apiclient.rb in the BaseSpace Ruby SDK aka bio-basespace-sdk gem 0.1.7 for Ruby uses the APIKEY on the command line, which allows remote attackers to obtain sensitive information by listing the processes...