Command Execution Vulnerability in YApi

YApi is an api management platform designed to provide more elegant interface management services for developers, products, and testers. It can help developers easily create, publish and maintain APIs. YApi suffers from a command execution vulnerability. An attacker can exploit this vulnerability...

Insecure Random Number Generator

yapi-vendor uses an insecure random number generator. The JSON Web Token JWT signing secret generation allows recreation of other users' JWT tokens due to the usage of an insecure random number generator Math.random...

Weak JSON Web Token in yapi-vendor

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...

GHSA-2H3H-VW8R-82RP Weak JSON Web Token in yapi-vendor

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...

CVE-2021-27884

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...

CVE-2021-27884

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...

Code injection

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...

CVE-2021-27884

The vulnerability CVE-2021-27884 affects YMFE YApi up to version 1.9.2, where JWT signing secret is generated using Math.random() in Node.js. This weak randomness allows an attacker to recreate other users’ JWTs by exploiting predictable secret generation. Connected advisories (GHSA-2H3H-VW8R-82R...

CVE-2021-27884

Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used...

YMFE YApi 安全特征问题漏洞

Sean1025 YMFE YApi is Sean1025 an open source application . Provides a visual interface management platform YMFE YApi through 1.9.2 A security vulnerability exists that allows the recreation of JWT tokens for other users...

Insecure JWT Signing

yapi-vendor does not perform secure JWT signing. The function randStr uses a cryptographically insecure pseudo-random number generator Math.random to create a randomly looking string that later is used to sign and verify issued tokens...

Command Execution Vulnerability in YApi Interface Management Platform

YApi is an api management platform designed to provide more elegant interface management services for developers, products, and testers. It can help developers easily create, publish and maintain APIs. YApi interface management platform has a command execution vulnerability that can be exploited ...

GHSA-5XGH-643P-CP2G Cross-site Scripting in yapi-vendor

An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project...

Cross-site Scripting in yapi-vendor

An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project...

YMFE YApi Cross-Site Scripting Vulnerability

YMFE YApi is a visual interface management platform. A cross-site scripting vulnerability exists in the item name field in YMFE YApi version 1.3.23. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML...

Cross-site Scripting (XSS)

yapi-cli is vulnerable to a cross-site scripting XSS attack. The library does not sanitize or validate the projectName variable, allowing a malicious user to inject and execute arbitrary Javascript...

Cross site scripting

An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project...

CVE-2018-17574

An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project...

CVE-2018-17574

An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project...

CVE-2018-17574

CVE-2018-17574 affects YMFE YApi 1.3.23 with a stored XSS vulnerability in the project name field. The issue is described across multiple sources (NVD entry and related advisories) as a stored cross-site scripting flaw in YMFE YApi 1.3.23; CVSS v3.0 base score 5.4 (MEDIUM), CVSS v2 base score 3.5...