Category - API Security Blog

Mars: Insecure API Response Leads to Disclosure of Hashed Passwords

A security vulnerability was identified in the API of ████████. The endpoint ████████ was found to return sensitive user information, including hashed passwords, in its ...

January 28, 2025

AWS VDP: A potential risk in the experimental-programmatic-access-ccft which can be used to privilege escalation.

The experimental-programmatic-access-ccft application created a function with an associated role that was assigned policies with overly broad "sts:AssumeRole" permissions for &qu ...

January 28, 2025

Mozilla: Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org

A cache poisoning vulnerability was identified on addons.allizom.org that allowed an attacker to block access to static resources such as images and JavaScript files. The issue was exploited by proces ...

January 28, 2025

Doppler: Availability Impact from Exploiting Project Name Vulnerabilities

The vulnerability allowed a user to change the project name to a malicious string, which resulted in other users being logged out of their accounts when they attempted to access the project. This led ...

January 28, 2025

Node.js: Usage of unsafe random function in undici for choosing boundary

The vulnerability in the Undici library involves the use of an unsafe random function to choose the boundary for a multipart/form-data request. The use of Math.random() to generate this boundary can b ...

January 28, 2025

AWS VDP: Information Disclosure Due To exposed .env file (Directory Listing) at ████████

Vulnerability description not...Read More ...

January 28, 2025

IBM: Exposed Logs and Bearer Tokens on Test Endpoint

Exposed Logs and Bearer Tokens on Test Endpoint were reported to IBM, analyzed, and have been...Read More ...

January 28, 2025

Doppler: WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss

Vulnerability description not...Read More ...