CVE-2020-7780 Cross-site Request Forgery (CSRF)

This affects the package com.softwaremill.akka-http-session:core2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core2.11 before 0.5.11. For older versions, endpoints protected by randomTokenCsrfProtection...

Softwaremill Akka-http-session Cross-Site Request Forgery Vulnerability

Softwaremill Softwaremill Akka-http-session is a codebase for providing continuous JWT and continuous connection support for single page or mobile applications from Softwaremill, Poland. A security vulnerability exists in com.softwaremill.akka-http-session:core2.13, which stems from the fact that...

com.codacy:codacy-seed-client-akka-http_2.11 (>=1.1.0-featurehelm3.62.2328366_akka24Circe08 <=1.2.0_akka25Circe08), com.softwaremill.akka-http-session:jwt_2.11 (>=0.2.0 <=0.5.11) potentially affected by CVE-2020-28452 via com.softwaremill.akka-http-session:core_2.11 (>=0.2.0 <=0.5.9)

com.softwaremill.akka-http-session:core2.11 MAVEN version =0.2.0, =1.1.0-featurehelm3.62.2328366akka24Circe08, =0.2.0, =0.5.11 Source cves: CVE-2020-28452 Source advisory: SNYK:JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046675...

com.boxframework:box-server_2.12 (>=1.2.22 <=1.2.23), com.codacy:codacy-seed-client-akka-http_2.12 (>=1.1.0-master.51.7b7549c_akka25Circe08 <=1.2.0_akka25Circe08) +1 more potentially affected by CVE-2020-28452 via com.softwaremill.akka-http-session:core_2.12 (>=0.3.0 <=0.6.0)

com.softwaremill.akka-http-session:core2.12 MAVEN version =0.3.0, =1.2.22, =1.1.0-master.51.7b7549cakka25Circe08, =0.3.0, =0.6.0 Source cves: CVE-2020-28452 Source advisory: SNYK:JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046674...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie. Remediation Upgrade...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. For older versions, endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie. Remediation Upgrade...

com.codacy:codacy-seed-client-akka-http_2.11 (>=1.1.0-master.51.7b7549c_akka25Circe08 <=1.2.0_akka25Circe08), com.softwaremill.akka-http-session:jwt_2.11 (>=0.2.0 <=0.5.10) potentially affected by CVE-2020-7780 via com.softwaremill.akka-http-session:core_2.11 (>=0.2.0 <=0.5.10)

com.softwaremill.akka-http-session:core2.11 MAVEN version =0.2.0, =1.1.0-master.51.7b7549cakka25Circe08, =0.2.0, =0.5.10 Source cves: CVE-2020-7780 Source advisory: SNYK:JAVA-COMSOFTWAREMILLAKKAHTTPSESSION-1046655...

CVE-2019-10405

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

CVE-2019-10405

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

Cross site scripting

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

CVE-2019-10405

CVE-2019-10405 affects Jenkins 2.196 and earlier, and LTS 2.176.3 and earlier. The vulnerability causes the server to print the value of the cookie in the /whoAmI/ URL, despite the cookie being marked HttpOnly. This enables an attacker who can exploit another XSS vulnerability to obtain the HTTP ...

CVE-2019-10405

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...

PT-2019-6283 · Nlnet +5 · Unbound +5

Name of the Vulnerable Software and Affected Versions: Unbound versions prior to 1.9.5 Description: The issue is related to insufficient neutralization of special elements in a request, which can be exploited by a remote attacker to impact data integrity. This can occur upon a successful...

Novatek NT9665X HFS Recv buffer overflow code execution vulnerability

Summary An exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version “RoavA1SWV1.9.” A specially crafted packet can cause an unlimited and arbitrary write to memory, resulting in code executio...

CVE-2019-9484

The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password which is 1234, or reconfiguring "party mode" or "vacation mode."...

Design/Logic Flaw

The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password which is 1234, or reconfiguring "party mode" or "vacation mode."...

CVE-2019-9484

The CVE-2019-9484 entry concerns Glen Dimplex Deutschland GmbH’s implementation of the Carel pCOWeb configuration tool. The vulnerability allows remote attackers to gain access through an HTTP session on port 10000, enabling reading of the modem password and reconfiguration of “party mode” or “va...

CVE-2019-9484

The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password which is 1234, or reconfiguring "party mode" or "vacation mode."...

CVE-2019-1003004

An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java that allows attackers to extend the duration of active HTTP sessions indefinitely even though the user account may have...

GHSA-V6WR-FCH2-VM5W OrientDB Server Community Edition uses insufficiently random values to generate session IDs

OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values in the server/network/protocol/http/OHttpSessionManager.java, which makes it easier for remote attackers to predict a value by...