CVE-2024-23649

CVE-2024-23649 affects Lemmy 0.17.0 up to 0.19.0 (vulnerable) with a patch available in 0.19.1. The issue allows any authenticated user to obtain arbitrary private message contents by calling the API at /api/v3/private_message/report; the response can include the private message itself and, in so...

CVE-2024-23649 Any authenticated user may obtain private message details from other users on the same instance

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...

CVE-2024-23649 Any authenticated user may obtain private message details from other users on the same instance

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...

CVE-2024-23453

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

CVE-2024-23453

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

Hardcoded credentials

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

PT-2024-12039 · Unknown · Processwire

Name of the Vulnerable Software and Affected Versions: ProcessWire version 3.0.210 Description: An issue in ProcessWire allows attackers to execute arbitrary code and install a reverse shell via the download zip url parameter when installing a new module. This issue is disputed as it requires the...

CVE-2023-24676

An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the downloadzipurl parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a...

CVE-2023-24676

An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the downloadzipurl parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a...

PT-2024-20000 · Lemmy · Lemmy

Name of the Vulnerable Software and Affected Versions: Lemmy versions 0.17.0 through 0.19.0 Description: The issue allows any authenticated user to obtain arbitrary private message contents by creating a private message report. This is possible because the API response to creating a private messa...

CVE-2024-23453

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

CVE-2024-23453

Android Spoon app (versions 7.11.1–8.6.0) contains a hard-coded API key that can be retrieved by reverse-engineering the binary, enabling unauthorized access to an external service. Root cause: embedded credentials in the mobile app. Impact: local attacker could obtain the API key; impact consist...

Android App "Spoon" uses a hard-coded API key for an external service

Overview Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

Spoon Security Vulnerability

Spoon is a software from Spoon, a South Korean company that provides live streaming, talking, and chatting. A security vulnerability exists in Spoon versions 7.11.1 through 8.6.0. An attacker exploited the vulnerability to retrieve hard-coded API keys when reverse engineering application binaries...

JVN#96154238: Android App "Spoon" uses a hard-coded API key for an external service

Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service. Note that t...

PT-2024-19877 · Unknown · Android Spoon

Name of the Vulnerable Software and Affected Versions: Android Spoon application versions 7.11.1 through 8.6.0 Description: The issue concerns the use of hard-coded credentials in the application, which could allow a local attacker to retrieve a hard-coded API key by reverse-engineering the...

Exploit for CVE-2022-25765

CVE-2022-25765 Exploit A small POC exploit for CVE-2022-25765,...

SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to...

GHSA-58J9-J2FJ-V8F4 SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to...

pyGPOAbuse - Partial Python Implementation Of SharpGPOAbuse

Python partial implementation of SharpGPOAbuse by@pkb1s This tool can be used when a controlled account can modify an existing GPO that applies to one or more users & computers. It will create an immediate scheduled task as SYSTEM on the remote computer for computer GPO, or as logged in user for...