python: Information Disclosure due to urlsplit improper NFKC normalization

It was discovered that python's functions urllib.parse.urlsplit and urllib.parse.urlparse do not properly handle URLs encoded with Punycode/Internationalizing Domain Names in Applications IDNA, which may result in a wrong domain name specifically the netloc component of URL - user@domain:port bei...

Information disclosure

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is: Information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are:...

The vulnerability of the Symfony software platform for developing and managing web applications lies in errors in processing user authentication data, allowing attackers to bypass the authentication process.

The vulnerability of the Symfony software platform for developing and managing web applications is related to errors in processing user authentication data. Exploiting this vulnerability allows a malicious actor to bypass authentication procedures by using the user’s existing username and an empt...

Core: information disclosure due to authentication information exposed in a redirect

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0...

CVE-2018-15752

An issue was discovered in the MensaMax aka com.breustedt.mensamax application 4.3 for Android. Cleartext Transmission of Sensitive Information allows man-in-the-middle attackers to eavesdrop authentication information between the application and the server...

CVE-2018-0335

A vulnerability in the web portal authentication process of Cisco Prime Collaboration Provisioning could allow an unauthenticated, local attacker to view sensitive data. The vulnerability is due to improper logging of authentication data. An attacker could exploit this vulnerability by monitoring...

Trojan watch

We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices:...

The vulnerability of Sonatype Nexus Repository Manager, related to the use of cryptographic algorithms containing defects, allows a perpetrator to gain access to authentication data.

The vulnerability of Sonatype Nexus Repository Manager is related to the use of cryptographic algorithms that contain vulnerabilities. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain access to user authentication data and other sensitive information...

Ubuntu 14.04 LTS / 16.04 LTS : curl vulnerabilities (USN-3554-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3554-1 advisory. It was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get...

USN-3554-1 curl vulnerabilities

It was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that curl could accidentally leak authentication...

FreeBSD : cURL -- Multiple vulnerabilities (0cbf0fa6-dcb7-469c-b87a-f94cffd94583)

The cURL project reports : libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X...

[ASA-201801-25] lib32-libcurl-gnutls: multiple issues

Arch Linux Security Advisory ASA-201801-25 ========================================== Severity: Medium Date : 2018-01-29 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : lib32-libcurl-gnutls Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-597 Summary ======= The...

[ASA-201801-22] lib32-curl: multiple issues

Arch Linux Security Advisory ASA-201801-22 ========================================== Severity: Medium Date : 2018-01-29 CVE-ID : CVE-2018-1000005 CVE-2018-1000007 Package : lib32-curl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-594 Summary ======= The package...

SUSE-SU-2018:0217-1 Security update for curl

This update for curl fixes one issues. This security issue was fixed: - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects bsc1077001...

SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:0217-1)

This update for curl fixes one issues. This security issue was fixed : - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects bsc1077001 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security...

CVE-2018-1000007

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is...

DEBIAN-CVE-2018-1000007

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is...

The vulnerability in the Splunk Web interface of the Splunk Enterprise operating analysis platform allows a perpetrator to disclose protected information.

The vulnerability of the Splunk Web platform’s software interface for Splunk Enterprise operating analysis is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to gain access to the authentication data of the REST API interface through speciall...

DEBIAN-CVE-2016-10351

Telegram Desktop 0.10.19 uses 0755 permissions for $HOME/.TelegramDesktop, which allows local users to obtain sensitive authentication information via standard filesystem operations...

Microsoft Outlook for Mac Spoofing Vulnerability

Microsoft Outlook is an e-mail client software bundled with the Office suite from Microsoft USA. The software manages e-mail, contacts, calendars, and more. Microsoft Outlook for Mac does not properly validate HTML tagged inputs has an implementation spoofing vulnerability that could allow an...