CSRF on update cart functionality

I found a CSRF Vulnerability in the update cart functionality where there is no **csrf** token being validated While updating the cart as the authenticated user **Vulnerable Request:** ``` POST /demo ...

Continue Reading
Discoverability of user password hash in Statamic CMS

## Description It was possible to confirm a single character of a user's password hash (just the hash, not the password) using a specially crafted regular expression filter in the users endpoint of th ...

Continue Reading
Consensys: Public Postman Api Collection Leaks Internal access to https://assets-paris-dev.codefi.network/

The researcher identified a public workspace at `https://www.postman.com/3zL77NHP5yLSKc/workspace/codefi-assets-s-public-workspace/environment/19650166-866da684-1c98-492c-a9e9-6ed287c28746` containing ...

Continue Reading
Improper Certificate Validation in kubeclient

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not confi ...

Continue Reading
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server

### Impact All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a path traversal bug, compounded by an improper access control bug, allowing a malicious user with read-only reposit ...

Continue Reading
Renderers can obtain access to random bluetooth device without permission in Electron

### Impact This vulnerability allows renderers to obtain access to a random bluetooth device via the [web bluetooth API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetooth_API) if the app ...

Continue Reading
Command Injection in ungit

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are ...

Continue Reading
api-bridge.azurewebsites.net Cross Site Scripting vulnerability OBB-2536764

Following the coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147]()** standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. not ...

Continue Reading

Back to Main

Subscribe for the latest news: