What you need to know about how cryptography impacts your security strategy

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder...

ASP.NET ViewState MAC Not Enabled

The ViewState is a parameter specific to the ASP.NET framework, it's used as a breadcrumb trail when the user navigates the application preserving values and controls between different web pages. Present on the pages in the viewstate parameter, all the values are serialized and encoded in base64 ...

The vulnerability of the astra-safepolicy security configuration software, related to access control deficiencies. Exploiting this vulnerability allows attackers to gain access to confidential data, compromise its integrity, and cause service failures.

The vulnerability of the astra-safepolicy security configuration software relates to the disabling of the MAC mode. Exploiting this vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause service failures...

[SECURITY] Fedora 34 Update: opendmarc-1.4.0-1.fc34

OpenDMARC Domain-based Message Authentication, Reporting & Conformance provides an open source library that implements the DMARC verification service plus a milter-based filter application that can plug in to any milter-aware MTA, including sendmail, Postfix, or any other MTA that suppor ts the...

Rapid7's 2021 ICER Takeaways: Email Security Among the Fortune 500

This blog post covers key takeaways from our 2021 Industry Cyber-Exposure Report ICER: Fortune 500. Original analysis for these findings was conducted by Kwan Lin. We all know and love—or at least begrudgingly rely upon—email. It is a pillar of modern communications, but is unfortunately also...

PT-2021-18220 · Unknown · Jose-Node-Esm-Runtime

Name of the Vulnerable Software and Affected Versions: jose-node-esm-runtime versions prior to 3.11.4 Description: The AES CBC HMAC SHA2 Algorithm decryption in the jose-node-esm-runtime package has a timing difference when a padding error occurs, creating a padding oracle. This allows an adversa...

UnionPay IOS 数据伪造问题漏洞

UnionPay IOS is an application of China UnionPay Corporation UnionPay in China. Union Pay ios 3.3.12 suffers from a security vulnerability that originates from incorrectly verified password signatures, which can be exploited by an attacker to make free purchases on merchant websites and mobile ap...

Nextcloud Server File Block Overwrite Vulnerability (NC-SA-2020-038)

Nextcloud Server is prone to a vulnerability where Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and...

CVE-2020-12355

Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in IntelR TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access...

CVE-2020-12355

Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in IntelR TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access...

GHSA-44VF-8FFM-V2QH Sensitive Data Exposure in rails-session-decoder

All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. Recommendation No fix is currently available. Consider using an alternative module until a fix...

Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file...

Insecure Storage of Sensitive Information in smirzaei/rails-session-decoder

Overview rails-session-decoder is a simple utility for decoding Rails 4.x sessions in Node.js, this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text, exposing encrypted information...

CVE-2020-8911

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code MAC, which then allows an attacker who has write access to the target's S3 bucket and can observe...

FreeBSD : typo3 -- multiple vulnerabilities (eab964f8-d632-11ea-9172-4c72b94353b5)

Typo3 Team reports : In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. Thi...

Information Disclosure

typo3/cms is vulnerable to information disclosure. An insecure internal verification mechanism can be used to generate arbitrary checksums and allows an attacker to inject arbitrary data having a valid cryptographic message authentication code HMAC-SHA1, resulting in disclosure of confidential...

CVE-2020-15098

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic...

CVE-2020-15099

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case t...

CVE-2020-15086

In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code...

CVE-2020-15099

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case t...