Category - API Security Blog

Yelp: Object Level access control leads to reading user’s full requests, sessions, and error messages

The vulnerability allowed unauthenticated attackers to read the internal admin's full sessions, HTTP requests data, and other internal information through the error logging endpoint. The vulnerab ...

January 28, 2025

Automattic: Open redirect via redirect_to parameter in tumblr.com

The Tumblr website was affected by an open redirect vulnerability that allowed an attacker to redirect users to a specified URL through the "redirect_to" parameter. This vulnerabilit ...

January 28, 2025

curl: When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly

Vulnerability description not...Read More ...

January 28, 2025

TikTok: Unauthorized Access to TikTok Account [Private Videos] via API Endpoint

The vulnerability on a TikTok endpoint that allowed unauthorized viewing of videos from private accounts was discovered and reported by @datph4m. The issue was subsequently...Read More ...

January 28, 2025

AWS VDP: A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation.

A potential risk was found in the cloudFrontExtensionsConsole when it was deployed in the awslabs repository on GitHub. The functions created by the application had excessive permissions that could be ...

January 28, 2025

WordPress: Unauthenticated WordPress Database Repair DoS

Vulnerability description not...Read More ...

January 28, 2025

XVIDEOS: Lack of Rate Limiting on Account Creation Endpoint

The account creation process of www.xvideos.red was found to lack proper rate limiting mechanisms on the /account/signinform/premium_tour_login endpoint. This security flaw allowed for automated creat ...

January 28, 2025

curl: Exploitable Format String Vulnerability in curl_mfprintf Function

Vulnerability description not...Read More ...

January 28, 2025