929 matches found
Information disclosure
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys...
Information disclosure
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys...
CVE-2019-3739
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys...
CVE-2019-3740
CVE-2019-3740 concerns RSA BSAFE Crypto-J used by Oracle GoldenGate Install (Dell BSAFE Crypto-J). The root cause is a timing-discrepancy vulnerability during DSA key generation that could allow a remote attacker to recover DSA private keys. Affected product/component: Oracle GoldenGate (Install ...
CVE-2019-3739
CVE-2019-3739 concerns RSA BSAFE Crypto-J versions prior to 6.2.5, where information exposure can occur via timing discrepancy during ECDSA key generation. The vulnerability could allow a remote attacker to recover ECDSA keys. The provided documents identify the affected component as Dell/Certico...
CVE-2019-3740
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys...
Side channel timing attacks against (EC)DSA in RSA BSAFE CVE-2019-3739/CVE-2019-3740 - Project Wycheproof is the AFL for Cryptography
About a year ago I wrote this tweet and now I can finally justify it Project Wycheproof https://t.co/wBz9P8atHs is the AFL https://t.co/JM2l557PZi of crypto. Thanks a lot @XorNinja and team notably including Bleichenbacher for providing such a powerful tool — Antonio Sanso @asanso April 9, 2018 i...
Design/Logic Flaw
HumHub Social Network Kit Enterprise v1.3.13 allows remote attackers to find the user accounts existing on any Social Network Kits including self-hosted ones by brute-forcing the username after the /u/ initial URI substring, aka Response Discrepancy Information Exposure...
CVE-2019-12743
HumHub Social Network Kit Enterprise v1.3.13 allows remote attackers to find the user accounts existing on any Social Network Kits including self-hosted ones by brute-forcing the username after the /u/ initial URI substring, aka Response Discrepancy Information Exposure...
CloudBees Jenkins jenkins-reviewbot plugin cross-site request forgery vulnerability
CloudBees Jenkins Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version of the release/test project and some timed tasks . jenkins-reviewbot Plugin is used in one o...
FreeBSD : Gitlab -- Multiple vulnerabilities (da459dbc-5586-11e9-abd6-001b217b3468)
Gitlab reports : DoS potential for regex in CI/CD refs Related branches visible in issues for guests Persistent XSS at merge request resolve conflicts Improper authorization control 'move issue' Guest users of private projects have access to releases DoS potential on project languages page Recuri...
Gitlab -- Multiple vulnerabilities
Gitlab reports: DoS potential for regex in CI/CD refs Related branches visible in issues for guests Persistent XSS at merge request resolve conflicts Improper authorization control "move issue" Guest users of private projects have access to releases DoS potential on project languages page Recurit...
HackerOne: A small set of users were assigned someone else's payout preference
On December 20th, 2016, HackerOne introduced a new payout preference that allowed employee bounties to be paid through payroll. At the time, a feature was added to our support backend that allowed the IT department to provision this special payout preference for HackerOne employees. To help the I...
Design/Logic Flaw
Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information Exposure Through Timing Discrepancy vulnerability in Password reset code -- web/reset/index.php, line 51 that can result in Possible to determine password...
CVE-2018-1000884
Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information Exposure Through Timing Discrepancy vulnerability in Password reset code -- web/reset/index.php, line 51 that can result in Possible to determine password...
CVE-2018-1000884
CVE-2018-1000884 affects Vesta CP prior to 0.9.8-18, where the password reset code in web/reset/index.php (line 51) exposes information due to a timing discrepancy (CWE-208). This can allow an attacker, via unauthenticated network access, to determine password reset codes and potentially change t...
Information disclosure
An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether...
CVE-2018-7812
CVE-2018-7812 affects Schneider Electric Modicon M340, Premium, Quantum PLCs and BMXNOR0200. The embedded web servers expose security-relevant information by returning different responses (information-disclosure via discrepancy), revealing state or operation outcomes. Affects confidentiality (par...
CVE-2018-7812
An Information Exposure through Discrepancy vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where the web server sends different responses in a way that exposes security-relevant information about the state of the product, such as whether...
Design/Logic Flaw
An issue was discovered in Sales & Company Management System SCMS through 2018-06-06. There is a discrepancy in username checking between a component that does string validation, and a component that is supposed to query a MySQL database. Thus, it is possible to register a new account with a...