CVE-2019-18256

BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit...

Authentication flaw

BIOTRONIK CardioMessenger II, The affected products use individual per-device credentials that are stored in a recoverable format. An attacker with physical access to the CardioMessenger can use these credentials for network authentication and decryption of local data in transit...

Cellebrite EPR Decryption Relies on Hardcoded AES Key Material

Vulnerability Details Affected Vendor: Cellebrite Affected Product: UFED Affected Version: 5.0 - 7.5.0.845 Platform: Embedded Windows CWE Classification: CWE-321: Hardcoded Use of Cryptography Keys CVE ID: CVE-2020-14474 2. Vulnerability Description The Cellebrite UFED Physical device relies on...

IBM API Connect Information Disclosure Vulnerability (CNVD-2020-36386)

IBM API Connect APIConnect is a suite of integrated solutions for managing the API lifecycle from IBM USA. The product supports creating, running, managing, and securing APIs, microservices, and more. A security vulnerability exists in IBM API Connect versions 2018.4.1.0 through 2018.4.1.11, whic...

RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign

Impact Jsrsasign supports RSA PKCS1 v1.5 i.e. RSAES-PKCS1-v15 and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability. - If you don't use RSA...

GHSA-XXXQ-CHMP-67G4 RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign

Impact Jsrsasign supports RSA PKCS1 v1.5 i.e. RSAES-PKCS1-v15 and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability. - If you don't use RSA...

Emerging Ransomware Targets Photos, Videos on Android Devices

A new strain of ransomware has arisen in Canada, targeting Android users and locking up personal photos and videos. Called CryCryptor, it has initially been spotted pretending to be the official COVID-19 tracing app provided by Health Canada. It’s propagating via two different bogus websites that...

Insecure RSA Signature Validation

jsrsasign does not properly validate RSA signatures. The decryption implementation does not detect ciphertext modification prepended by \0 bytes to ciphertexts, allowing an attacker to prepend NULL bytes with the goal of triggering memory corruption issues...

CVE-2020-14967

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...

CVE-2020-14967

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...

Memory corruption

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...

CVE-2020-14967

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts it decrypts modified ciphertexts without error. An attacker might prepend these bytes with the...

CVE-2020-14967

CVE-2020-14967 affects the jsrsasign package for Node.js prior to version 8.0.18. The RSA PKCS1 v1.5 decryption path does not detect ciphertext modifications when zeros are prepended to ciphertexts, allowing modified ciphertexts to be decrypted without error and potentially triggering memory corr...

PT-2020-14094 · Jsrsasign · Jsrsasign

Name of the Vulnerable Software and Affected Versions: jsrsasign versions prior to 8.0.18 Description: The issue concerns the RSA PKCS1 v1.5 decryption implementation in the jsrsasign package. It fails to detect ciphertext modification when '0' bytes are prepended to ciphertexts, allowing it to...

Ubiquiti Configuration Importer

This module imports an Ubiquiti device configuration. The db file within the .unf backup is the data file for Unifi. This module can take either the db file or .unf. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework...

SOS JobScheduler 1.13.3 CVE-2020-12712 Stored Password Decryption

SOS JobScheduler version 1.13.3 encrypts a secret by simply using the name of a profile as the key, making it trivial to decrypt. Exploit Title: SOS JobScheduler 1.13.3 - Stored Password Decryption Google Dork: N/A Date: 2020-04-20 Exploit Author: Sander Ubink Vendor Homepage: www.sos-berlin.com...

EulerOS 2.0 SP2 : libgcrypt (EulerOS-SA-2020-1672)

According to the versions of the libgcrypt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proxima...

Hardcoded credentials

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key...

CVE-2020-9289

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key...

CVE-2020-9289

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key...