144 matches found
CVE-2024-23738
An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote code execution.."...
Remote code execution
An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote code execution.."...
Postman Security Vulnerability
Postman is an API platform for developers from the US-based Postman Inc. A security vulnerability exists in Postman prior to version 10.22, which stems from arbitrary code execution via the RunAsNode and enableNodeClilnspectArguments settings...
CVE-2024-23738
CVE-2024-23738 affects Postman versions 10.22 and earlier on macOS. The vulnerability is described as remote code execution via RunAsNode and enableNodeClilnspectArguments settings; PT-2024-1464 additionally links this to a buffer overflow when handling PDF data, though the vendor disputes that t...
CVE-2024-23738
An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor states "we dispute the report's accuracy ... the configuration does not enable remote code execution.."...
PT-2024-1464 · Postman · Postman
Name of the Vulnerable Software and Affected Versions: Postman versions 10.22 and earlier Description: The issue allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. It is related to a buffer overflow when handling PDF files without...
Porch-Pirate - The Most Comprehensive Postman Recon / OSINT Client And Framework That Facilitates The Automated Discovery And Exploitation Of API Endpoints And Secrets Committed To Workspaces, Collections, Requests, Users And Teams
Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very...
Cognizant: Disclosure of the valid Cognizant credentials at the Postman collection
Vulnerability description not provided...
GHSA-VX8M-6FHW-PCCW @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Summary The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. Details It was noticed that in the validatePostRequestAsync flow in saml.js, the current timestamp is never checked. This could present a...
Malicious code in postman-zendesk-support-theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e3501f72f7b7c1700a90f7ad5e3a55cd2462c210637c68dc75f9d336e9bf0063 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
InsightAppSec Advanced Authentication Settings: Token Replacement
There are many different ways to use InsightAppSec to authenticate to web apps, but sometimes you need to go deeper into the advanced settings to fully automate your logins, especially with API scanning. Today, we’ll cover one of those advanced settings: Token Replacement. InsightAppSec Token...
Exploit for Path Traversal in Apache Http_Server
CVE-2021-41773 A Demonstration to show the CVE-2021-41773 vul...
What’s New for Developers: February 2023
Read about the most recent updates to EdgeWorkers, two new Postman collections, and Terraform Provider v3.3.0 — and find out how to sign up for betas...
Privilege vulnerability at API Change Password
Description There is a vulnerability at API Change password. I use API PATCH /api/user/x to get user's information and change their password. With x is the user's id, which are numbers in ascending or descending order Proof of Concept 1. Access to the demo website https://demo.usememos.com/ 2. Us...
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options. PoC - Install the plugin and set the API creds to: - Key:...
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options. - Install the plugin and set the API creds to: - Key:...
What’s New for Developers: October 2022
Read about our new Postman collections, the latest Akamai PowerShell release, our improvements to Edge Diagnostics, and how to quickly integrate Linode with Akamai...
@netceterapx/click-to-pay-embedded-sdk (>=0.0.1 <=1.0.5), postman-helper (>=1.0.0 <=1.0.2) potentially affected by CVE-2022-36083 via jose-browser-runtime (>=4.15.5 <=4.1.2)
jose-browser-runtime NPM version =4.15.5, =0.0.1, =1.0.0, =1.0.2 Source cves: CVE-2022-36083 Source advisory: OSV:GHSA-JV3G-J58F-9MQ9...
Malicious code in postman-echo-nock (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54ca7d74162028127f3c663d15e3c766cc0f7729f646f4f70d55b0db30b8b253 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-5430 Malicious code in postman-echo-nock (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54ca7d74162028127f3c663d15e3c766cc0f7729f646f4f70d55b0db30b8b253 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...