Category - API Security Blog

CVE-2022-25229

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an ...

May 20, 2022

Improper Privilege Management API V2

# Description There are some `api v2` doesn't check permission allow attackers to retrieve/edit information `ticket`,`account`,`group`,`department`,`team`,`ElasticSearch` # Proof of Concept *Get user ...

May 20, 2022

Register users in spite of Allow User Registration disabled

# Description Attacker can register a user in spite of the `Allow User Registration` is disable by default. # Proof of Concept 1. Go to `/captcha`, get the captcha value and cookie. ![alt text](htt ...

May 20, 2022

CVE-2022-30617

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., cr ...

May 19, 2022

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated ...

May 19, 2022

CVE-2022-29845

In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file. ...

May 19, 2022

CVE-2021-42646

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Mana ...

May 19, 2022

CVE-2022-29848

In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attr ...

May 19, 2022