2 matches found
GHSA-9PG3-25FQ-P6CC nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?newkey=&keyname= The raw API key ends up: - in the browser's URL history - in the Referer header on every cross-origin asset the detai...
APBoard - post threads to protected forums and possibility to hijack forum-password
Product: Another PHP Program - APBoard Versions: tested on 2.02, 2.03 Vulnerability: post threads to protected forums and possibility to hijack forum-password Date: November 12, 2002 Discovered by: ProXy [email protected] Introduction: Normal Users can submit threads to password protected forums a...