593 matches found
A combination of punches: three vulnerabilities to achieve a PayPal account-hijacking-vulnerability warning-the black bar safety net
PayPal is an eBay owned popular third-party payment product, similar to domestic PayPal. Recently researchers in their web applications were found in three high-risk vulnerabilities, an attacker can exploit these vulnerabilities to control any user of the PayPal account. The black bar safety net...
Ubuntu 14.04 LTS : OpenStack Nova vulnerability (USN-2325-1)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2325-1 advisory. Alex Gaynor discovered that OpenStack Nova would sometimes respond with variable times when comparing authentication tokens. If nova were configured to proxy...
DEBIAN-CVE-2014-4615
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry Ceilometer 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain XAUTHTOKEN values by reading the message queue...
pycadf: token leak to message queue
It was found that authentication tokens were not properly sanitized from the message queue by the notifier middleware. An attacker with read access to the message queue could possibly use this flaw to intercept an authentication token and gain elevated privileges. Note that all services using the...
Facebook SDK vulnerability threatening millions of mobile phone users accounts-vulnerability warning-the black bar safety net
From MetaIntell the smartphone leadership risk management(MRM)security researchers, found a latest version of Facebook SDK vulnerability in the vulnerability exposes millions of Facebook user's authentication token, it still sounds very scary. ! Facebook for Android and IOS SDK provides the use o...
Factlink: Sign up CSRF
Any user can be forced to sign up and presented with a home dash board . here is the csrf Save this any name.html and then double clik you will be presented as home panel authentication token is there but that is not preventing csrf issue . Remediation : Use CSRF token . Thanks CKN...
CVE-2013-4471
The Identity v3 API in OpenStack Dashboard Horizon before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user...
DEBIAN-CVE-2013-4471
The Identity v3 API in OpenStack Dashboard Horizon before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user...
CVE-2013-4471
The Identity v3 API in OpenStack Dashboard Horizon before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user...
CVE-2013-4471
The Identity v3 API in OpenStack Dashboard Horizon before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user...
CVE-2013-4471
The Identity v3 API in OpenStack Dashboard Horizon before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user...
PYSEC-2014-70
The authtoken middleware in the OpenStack Python client library for Keystone aka python-keystoneclient before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, relat...
PYSEC-2013-45
keystone/middleware/authtoken.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova...
Zimbra Collaboration Server LFI
This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'rexml/document' class Metasploit3 'Zimbra Collaboration Server LFI', 'Description' = %q This module exploits a local file inclusion on Zimbra...
Zimbra Collaboration Server LFI
This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an...
Windows Management Instrumentation (WMI) Remote Command Execution
This Metasploit module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic...
Windows Management Instrumentation (WMI) Remote Command Execution
This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that...
CVE-2013-2059
OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...
CVE-2013-2059
OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...
Lilac vulnerability of small packs containing process, the reflective xss the use of skill-the loophole warning-the black bar safety net
Brief description: Lilac garden a few small packs, xss+url jump Detailed description: http://paper.pubmed.cn/do.php?ac=login&rfu=http://paper. pubmed. cn/ rfu address not verified http://paper.pubmed.cn/do.php?ac=login&rfu=can be configured on any link to jump The main or talk aboutxss?, no...