All news with #api authorization flaw tag

⚠️ CISA warns of an authorization bypass (IDOR) in the SolisCloud Monitoring Platform affecting Cloud API and Device Control API v1 and v2. An authenticated user can access detailed plant data by manipulating the plant_id parameter, exposing sensitive information. The issue is tracked as CVE-2025-13932 with a CVSS v4 score of 8.3 and is remotely exploitable with low complexity. SolisCloud has not engaged with CISA; users should limit network exposure and follow CISA mitigation guidance.

🔒 CISA warns that Opto 22's groov View API exposes API keys and user metadata through a users endpoint that returns keys for all accounts to any principal with an Editor role. The issue affects groov View Server for Windows R1.0a–R4.5d and GRV‑EPIC‑PR1/PR2 firmware prior to 4.0.3. Successful exploitation could disclose credentials, reveal keys, and enable privilege escalation; Opto 22 has released patches and recommends upgrading to Server R4.5e and firmware 4.0.3 alongside network-level mitigations.