CVE-2023-30056

A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie...

CVE-2023-30056

A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie...

FICO Origination Manager Decision Module 4.8.1 XSS / Session Hijacking Vulnerabilities

Multiple persistent cross site scripting vulnerabilities in FICO Origination Manager Decision Module version 4.8.1 allow an attacker to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the...

GHSA-P26G-97M4-6Q7C Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double quote, it will continue to read the cookie string unti...

TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (Authenticated) Exploit

!/usr/bin/python3 Exploit Title: TP-Link TL-WR902AC firmware 210730 V3 - Remote Code Execution RCE Authenticated Exploit Author: Tobias Müller Date: 2022-12-01 Version: TL-WR902ACEUV30.9.1 Build 220329 Vendor Homepage: https://www.tp-link.com/ Tested On: TP-Link TL-WR902AC Vulnerability...

CVE-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

SUSE CVE-2015-8470

The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session...

CVE-2022-44788

An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login...

Session fixation

An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login...

CVE-2022-44788

An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login...

CVE-2022-44788

An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login...

Maggioli SpA Appalti & Contratti 授权问题漏洞

Maggioli SpA Appalti & Contratti is a modular platform of Maggioli SpA. It consists of several integrated web applications to support Italian public administrations in the computerization and telematics management of their processes. A security vulnerability exists in Maggioli SpA Appalti &...

SSRF in /service endpoint

Description The problem came from this line of code I ran docker-drawio with following command : docker run -it --rm --name="draw" -e EXPORTURL=http://somesite.com -p 8080:8080 -p 8443:8443 jgraph/drawio if the drawio EXPORTURL is set to an address without any / after the primary Hostname like...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to insecure third party domain access (CVE-2021-29875)

Summary An insecure third party domain access vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID: CVE-2021-29875 DESCRIPTION: IBM InfoSphere Information Server could allow an attacker to obtain sensitive information due to a insecure third party domain...

Gfos Workforce Management Licensing Issue Vulnerability

Gfos Workforce Management, a workforce management system from Mitre Corporation, U.S.A. A security vulnerability exists in Gfos Workforce Management, which stems from poor JSESSIONID management, where the application's login page is prone to bypass authentication and an attacker can use...

CVE-2021-38618

In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone who knows a user's credentials except the password to get access to an account. This occurs because of JSESSIONID mismanagement...

CVE-2021-38618

In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone who knows a user's credentials except the password to get access to an account. This occurs because of JSESSIONID mismanagement...

Authentication flaw

In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone who knows a user's credentials except the password to get access to an account. This occurs because of JSESSIONID mismanagement...

CVE-2021-38618

In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone who knows a user's credentials except the password to get access to an account. This occurs because of JSESSIONID mismanagement...

CVE-2021-38618

CVE-2021-38618 affects GFOS Workforce Management 4.8.272.1, where JSESSIONID mismanagement enables authentication bypass on the login page. Multiple connected sources (Red Hat advisory, CNVD/CNNVD-style entries, CVE lists) corroborate that an attacker with valid user credentials (excluding the pa...