Improper Certificate Validation

Overview yapi-vendor is a YAPI Affected versions of this package are vulnerable to Improper Certificate Validation due to the HTTPS agent configuration setting rejectUnauthorized: false. An attacker can intercept and manipulate network traffic by performing a man-in-the-middle attack. Remediation...

GHSA-4JQW-VFMJ-9RMH Cross-site Scripting in yapi-vendor

Cross Site Scripting XSS vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page...

Insecure Random Number Generator

yapi-vendor uses an insecure random number generator. The JSON Web Token JWT signing secret generation allows recreation of other users' JWT tokens due to the usage of an insecure random number generator Math.random...

GHSA-2H3H-VW8R-82RP Weak JSON Web Token in yapi-vendor

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...

Weak JSON Web Token in yapi-vendor

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...

Insecure JWT Signing

yapi-vendor does not perform secure JWT signing. The function randStr uses a cryptographically insecure pseudo-random number generator Math.random to create a randomly looking string that later is used to sign and verify issued tokens...