wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)

It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption CVE-2011-2487 threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote...

Decrypted Nuclear exploit kit Flash exploit encryption-vulnerability warning-the black bar safety net

In recent years, the rise of Exploit Kit the EK collection a variety of exploit tools for a variety of file formats for automated analysis, exploit test. The more famous EK with Blackhole EK, Phoenix EK, Nuclear EK, etc. Recently we received Nuclear EK new sample, then the VT of the samples were...

CVE-2014-9687

eCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack...

mysql: unspecified vulnerability related to Server:Security:Encryption (CPU Jan 2015)

Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption...

Code injection

Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing...

CVE-2014-4352

Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID...

CVE-2014-0897

The Configuration Patterns component in IBM Flex System Manager FSM 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module CMM account creation, which makes it easier for remote authenticated users to defeat cryptographic protection...

CVE-2014-4686

The Project administration application in Siemens SIMATIC WinCC before 7.3, as used in PCS7 and other products, has a hardcoded encryption key, which allows remote attackers to obtain sensitive information by extracting this key from another product installation and then employing this key during...

CRYPTOCard CRYPTOAdmin 4.1 Weak Encryption Vulnerability (1)

No description provided by source. source: http://www.securityfocus.com/bid/1097/info CRYPTOCard CRYPTOAdmin is a network authentication application for use with the Palm OS platform. CRYPTOAdmin generates a .pdb file which contains the username, PIN number, serial number, and key in encrypted or...

Comersus BackOffice 4.x/5.0/6.0 /comersus/database/comersus.mdb Direct Request Database Disclosure

No description provided by source. source: http://www.securityfocus.com/bid/15251/info Comersus BackOfficePlus and BackOfficeLite are prone to multiple input validation and information disclosure vulnerabilities. The applications are prone to SQL injection attacks, information disclosure and...

PT-2014-18: Weak encryption of account data in Wonderware Information Server

The specialists of the Positive Research center have detected a Weak encryption of account data vulnerability in Wonderware Information Server. Encryption of WIS is insufficient. This vulnerability could allow elevation of privileges if an attacker decrypts the credentials. The system would need ...

CVE-2013-5468

IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, does not encrypt login requests, which allows remote attackers to obtain sensitive information by sniffing the...

CVE-2013-1853

Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database...

Karsten Nohl Demonstrates SIM Card Root Attack At Black Hat

LAS VEGAS–Thanks to manufacturers employing old, weak encryption on SIM cards, researchers have found a way to root the cards and get access to billions of mobile devices. German security researcher Karsten Nohl of Security Research Labs demonstrated the SIM card attack in his talk at the Black H...

Vulnerability in JP1/HIBUN Advanced Edition Information Cypher Removable Media Encryption

Overview Removable media encrypted by JP1/HIBUN Advanced Edition Information Cypher contains a vulnerability. Impact The contents of the removable media encrypted by JP1/HIBUN Advanced Edition Information Cypher can be accessed through PCs installed with JP1/HIBUN Advanced Edition Information...

Input validation

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the no...

CVE-2012-4409

Stack-based buffer overflow in the checkfilehead function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption...

Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities

Overview Agile FleetCommander and FleetCommander Kiosk were found to have multiple XSS, CSRF, information disclosure and SQLi vulnerabilities. Description CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' - CVE-2012-4941SQL Injection Vulnerabilities:...

CVE-2012-4571

Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack...

Design/Logic Flaw

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differenc...