Category - API Security Blog

U.S. Dept Of Defense: XSS vulnerability found in javascript code of https://███.mil

The XSS vulnerability was found in the JavaScript code of the website https://███.mil. The parameter "code" was not sufficiently sanitized, allowing the injection of malicious ...

January 28, 2025

XVIDEOS: Lack of Rate Limiting on Account Creation Endpoint

The account creation process of www.xvideos.red was found to lack proper rate limiting mechanisms on the /account/signinform/premium_tour_login endpoint. This security flaw allowed for automated creat ...

January 28, 2025

Node.js: Usage of unsafe random function in undici for choosing boundary

The vulnerability in the Undici library involves the use of an unsafe random function to choose the boundary for a multipart/form-data request. The use of Math.random() to generate this boundary can b ...

January 28, 2025

curl: bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ]

Vulnerability description not...Read More ...

January 28, 2025

Nextcloud: Blind SSRF Vulnerability in Appstore Release Upload Form

Vulnerability description not...Read More ...

January 28, 2025

cmpentecoste.ce.gov.br Cross Site Scripting vulnerability OBB-4012826

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified th ...

January 28, 2025

Internet Bug Bounty: netrc and redirect credential leak

The netrc file in curl could lead to the unintentional leakage of a password to a different host when following HTTP redirects, if the netrc file had an entry matching the redirect target hostname but ...

January 28, 2025

XVIDEOS: Stored XSS via SMTP Error Message

A Stored Cross-Site Scripting (XSS) vulnerability was identified on the /account/email page for www.xvideos.com. The vulnerability arose from the improper handling of SMTP error messages, which were p ...

January 28, 2025