Category - API Security Blog

Flickr: Information Disclosure: .dockerignore file is publicly accessible

Vulnerability description not...Read More ...

January 28, 2025

U.S. Dept Of Defense: Public google drive link Exposes Military Orders Containing PII (Name, SSN etc..) and Operational Details

A public Google Drive link was found to contain PDF files that exposed personally identifiable information (PII) of military personnel, including full names, social security numbers, home addresses, m ...

January 28, 2025

XVIDEOS: Lack of Rate Limiting on Account Creation Endpoint

The account creation process of www.xvideos.red was found to lack proper rate limiting mechanisms on the /account/signinform/premium_tour_login endpoint. This security flaw allowed for automated creat ...

January 28, 2025

espaimacia.cat Cross Site Scripting vulnerability OBB-4015297

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified th ...

January 28, 2025

curl: When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly

Vulnerability description not...Read More ...

January 28, 2025

AWS VDP: Reflected XSS on Amazon EC2 Instance

Vulnerability description not...Read More ...

January 28, 2025

Trellix: Unauthenticated Path Traversal and Command Injection in Trellix Enterprise Security Manager 11.6.10

A critical vulnerability was identified in Trellix Enterprise Security Manager (ESM) version 11.6.10. The vulnerability allowed unauthenticated access to internal API endpoints through path traversal ...

January 28, 2025

Node.js: Usage of unsafe random function in undici for choosing boundary

The vulnerability in the Undici library involves the use of an unsafe random function to choose the boundary for a multipart/form-data request. The use of Math.random() to generate this boundary can b ...

January 28, 2025