CVE-2018-5157

Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party website. This vulnerability affects Firefox ESR 52.8 an...

CVE-2018-5152

CVE-2018-5152 affects Firefox before 60. WebExtensions with appropriate permissions can inject content scripts into sites like accounts.firefox.com and monitor traffic via webRequest, enabling interception during login and exposure of username and encrypted password. The issue is limited to the l...

Monstra CMS 3.0.4 - Cross-Site Scripting (1)

Monstra CMS 3.0.4 - Cross-Site Scripting 1 Title: Monstra CMS www.target.com' url = input'Target : ' print' Required admin's PHPSESSID.' PHPSESSID = input'PHPSESSID : ' pagename = input'Pagename : ' script = input'Script : ' target = 'http://' + url + '/admin/index.php?id=pages&action=addpage'...

Design/Logic Flaw

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions =0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header...

CVE-2017-16005

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions =0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header...

Logic Design Vulnerability in LemHealth APP, a Smart Health Bracelet from Synerchip Technology

LemHealth APP is a health management software. A logical design vulnerability exists in the LemHealth APP, a smart health bracelet from Synergy Technology. An attacker can reset any password and perform unauthorized operations by catching packets and intercepting changes...

CVE-2016-10582

closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacker is on...

Hardcoded credentials

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending...

CVE-2016-10530

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending...

CVE-2016-10530

The CVE-2016-10530 issue affects the airbrake Node.js module (versions ≤ 0.3.8). It defaults to sending environment variables over HTTP, exposing secrets on privileged networks. This is explicitly described in multiple Connected sources (Airbrake node advisory and CVE records). Impact is exposure...

CVE-2016-10566

install-nw is a module which quickly and robustly installs and caches NW.js. install-nw versions below 1.1.5 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

Remote code execution

scala-bin is a binary wrapper for Scala. scala-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or...

About the security content of iOS 11.4

About the security content of iOS 11.4 This document describes the security content of iOS 11.4. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recen...

About the security content of watchOS 4.3.1

About the security content of watchOS 4.3.1 This document describes the security content of watchOS 4.3.1. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are...

[SECURITY] [DSA 4211-1] xdg-utils security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4211-1 [email protected] https://www.debian.org/security/ Luciano Bello May 25, 2018 https://www.debian.org/security/faq -...

CVE-2017-12129

An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them...

PT-2018-5370 · Moxa · Moxa Edr-810

Name of the Vulnerable Software and Affected Versions: Moxa EDR-810 version 4.1 build 17030317 Description: A weakness in cryptography for passwords exists in the web server functionality, allowing an attacker to intercept weakly encrypted passwords and potentially brute force them...

CVE-2018-5152

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firef...

CVE-2018-5152

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firef...

Siemens Siveillance VMS Video for Android and iOS Incorrect Certificate Validation Vulnerability

Siemens Siveillance VMS Video for Android is an Android-based video management software from Siemens, Germany. Siveillance VMS Video for iOS is an iOS-based version. A security vulnerability exists in Siveillance VMS Video prior to 12.1a 2018 R1 for Android-based platforms and Siveillance VMS Vid...