CVE-2025-11248

ZohoCorp ManageEngine Endpoint Central versions prior to 11.4.2528.05 are vulnerable to a sensitive information logging issue. An authenticated user with access to the logs could potentially obtain the sensitive agent token...

PT-2025-30245 · Asus · Myasus

Name of the Vulnerable Software and Affected Versions: MyASUS affected versions not specified Description: An insecure sensitive key storage issue was found in MyASUS, potentially allowing an unauthorized actor to obtain a token that could be used to communicate with certain services...

CVE-2024-55452

A URL redirection vulnerability exists in UJCMS 9.6.3 due to improper validation of URLs in the upload and rendering of new block / carousel items. This vulnerability allows authenticated attackers to redirect unprivileged users to an arbitrary, attacker-controlled webpage. When an authenticated...

CVE-2025-1724

Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token...

CVE-2024-55452

A URL redirection vulnerability exists in UJCMS 9.6.3 due to improper validation of URLs in the upload and rendering of new block / carousel items. This vulnerability allows authenticated attackers to redirect unprivileged users to an arbitrary, attacker-controlled webpage. When an authenticated...

CVE-2024-55451

A Stored Cross-Site Scripting XSS vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend...

CVE-2024-55452

A URL redirection vulnerability exists in UJCMS 9.6.3 due to improper validation of URLs in the upload and rendering of new block / carousel items. This vulnerability allows authenticated attackers to redirect unprivileged users to an arbitrary, attacker-controlled webpage. When an authenticated...

CVE-2024-45791 Apache HertzBeat: Exposure sensitive token via http GET method with query string

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue...

CVE-2024-45791 Apache HertzBeat: Exposure sensitive token via http GET method with query string

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue...

Uber: Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser

The researcher has identified that the API endpoint can be leveraged to return a sensitivetoken that can be leveraged for access to rtapi endpoints. As example change x-uber-token value with the following found code:...

Rockstar Games: Referer Leakge in language changer may lead to FB token theft.

In this report, the researcher identified a CSRF vulnerability in the language changing function on https://www.rockstargames.com/GTAOnline/ that could be combined with other vulnerabilities to result in sensitive token theft such as Oauth tokens. This vulnerability would be triggered when changi...

CVE-2019-4284

IBM Cloud Private 2.1.0 , 3.1.0, 3.1.1, and 3.1.2 could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user. IBM X-Force ID: 160512...

Rockstar Games: Image Injection Vulnerability on /bully/screens

In this report, the researcher identified an image injection vulnerability in www.rockstargames.com/bully/screens that could be combined with other vulnerabilities to result in sensitive token theft from other users. This vulnerability has since been patched to prevent it from being exploitable...

Rockstar Games: Image Injection on `/bully/anniversaryedition` may lead to FB's OAuth Token Theft.

In this report, the researcher identified a chain of attacks that could result in sensitive token leakage, such as Oauth tokens. The attack would begin with an image injection exploit on the page at https://www.rockstargames.com/bully/anniversaryedition. That exploit was the focus of this...

Rockstar Games: Image injection on /screenshot-viewer/responsive/image ( FIX BYPASS)

In this report, the researcher identified an image injection issue in the screenshot-viewer utility on our website that could be combined with other vulnerabilities to result in sensitive token theft. We were able to quickly push out an update to resolve the image injection issue, thereby...

Progress Sitefinity 9.1 XSS Vulnerability

Progress Sitefinity version 9.1 suffers from cross site scripting, broken session management, and open redirection vulnerabilities. ======================================================================= title: Multiple vulnerabilities product: Progress Sitefinity vulnerable version: 9.1 fixed...

Security feature bypass

Microsoft Office 2013 Gold, SP1, RT, and RT SP1 allows remote attackers to obtain sensitive token information via a web site that sends a crafted response during opening of an Office document, aka "Token Reuse Vulnerability."...