Why Shadow APIs are More Dangerous than You Think

Shadow APIs are a growing risk for organizations of all sizes as they can mask malicious behavior and induce substantial data loss. For those that aren't familiar with the term, shadow APIs are a type of application programming interface API that isn't officially documented or supported. Contrary...

CVE-2023-1749

The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute...

Directus 资源管理错误漏洞

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. A security vulnerability exists in the Directus API version v.2.2.0. A remote attacker could exploit this vulnerability to cause a denial of service via a large number of HTTP requests to the system...

Nextcloud 信息泄露漏洞

Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. An information disclosure vulnerability exists in Nextcloud that stems from a user being able to obtain the full data directory path to the Nextcloud serve...

PT-2023-21996 · Nextcloud +1 · Nextcloud Enterprise Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions 24.0.0 through 24.0.6 Nextcloud Server versions 25.0.0 through 25.0.4 Nextcloud Enterprise Server versions 23.0.0 through 23.0.11 Nextcloud Enterprise Server versions 24.0.0 through 24.0.6 Nextcloud Enterprise Server...

PT-2023-2330 · Rocket · Universe +1

Name of the Vulnerable Software and Affected Versions: Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 Description: The issue is related to a buffer overflow in an...

PT-2023-13975 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions 0.5.0 through 2.4.12 Argo CD versions 2.5.0 through 2.5.15 Argo CD versions 2.6.0 through 2.6.6 Description: An access control issue in Argo CD allows unauthorized users to enumerate existing applications by inspecting API...

MEGAFEIS DBD+ 安全漏洞

MEGAFEIS DBD+ is a smart fingerprint Bluetooth padlock from MEGAFEIS. A security vulnerability exists in MEGAFEIS DBD+ version 1.4.4, which stems from a vulnerability that allows an attacker to unlock the model without authorization via arbitrary API requests...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, Inc. A security vulnerability exists in Google Chrome version 111.0.5563.64, which stems from a weak policy enforcement issue in the Resource Timing component. The vulnerability allows an attacker who convinces a user to install a malicious extension to...

GitHub Enterprise Server 安全漏洞

GitHub Enterprise Server is a U.S. GitHub open source application. Provides a platform for setting up your own GitHub instance as a virtual appliance, thus providing a scalable, easy-to-manage platform. A security vulnerability exists in GitHub Enterprise Server versions prior to 3.7. An attacker...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab. The vulnerability could allow users...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, Inc USA. A security vulnerability exists in Google Chrome versions prior to 111.0.5563.64, which stems from inadequate enforcement of timing policies. An attacker exploits the vulnerability to obtain potentially sensitive information from the API via...

Github saleor 安全漏洞

Github saleor is a headless GraphQL commerce platform that delivers a super-fast, dynamic, personalized shopping experience. Beautiful online store, anywhere, on any device. Github saleor suffers from a security vulnerability that stems from some internal exceptions that are not handled correctly...

SUSE CVE-2010-4091

The EScript.api plugin in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.1, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to execute arbitrary code or cause a denial of service application crash via a crafted PDF document that triggers memory corruption,...

SUSE CVE-2017-7557

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack...

SUSE CVE-2017-1000388

Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data...

SUSE CVE-2021-23975

The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. This vulnerability affects...

SUSE CVE-2022-30034

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes...

CVE-2022-48302

The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality...

PT-2023-15554 · Zammad · Zammad

Name of the Vulnerable Software and Affected Versions: Zammad version 5.3.0 Description: Insufficient privilege verification allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. The issue has been corrected so that only agents with write...