Lucene search
K

366 matches found

Github Security Blog
Github Security Blog
added 2019/07/30 8:47 p.m.44 views

python-engineio vulnerable to Cross-Site Request Forgery (CSRF)

WebSocket cross-origin vulnerability Impact This is a Cross-Site Request Forgery CSRF vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies. Patches python-engineio version 3.9.0 patches this vulnerability by adding server-side Origin header checks...

8.8CVSS2.1AI score0.00828EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2019/07/16 7:27 a.m.13 views

Cross-Site WebSocket Hijacking (CSWSH)

python-engineio is vulnerable to Cross-Site WebSocket Hijacking CSWSH. A lack of validation in the Origin header in the websocket connection request allows a remote attacker to hijack a websocket connection by exploiting the vulnerability similar to how a cross-site request forgery vulnerability ...

8.8CVSS8.3AI score0.00828EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2019/07/16 12:15 a.m.17 views

CVE-2019-13611

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.8CVSS8.5AI score
Exploits0References1
OSV
OSV
added 2019/07/16 12:15 a.m.2 views

DEBIAN-CVE-2019-13611

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.8CVSS8.3AI score0.00828EPSS
Exploits0References1
PyPA
PyPA
added 2019/07/16 12:15 a.m.7 views

PYSEC-2019-170

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.8CVSS6.9AI score0.00828EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2019/07/16 12:15 a.m.2 views

UBUNTU-CVE-2019-13611

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.8CVSS6.9AI score0.00828EPSS
Exploits0References3
Cvelist
Cvelist
added 2019/07/15 11:17 p.m.31 views

CVE-2019-13611

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.6AI score0.00828EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2019/07/15 11:17 p.m.20 views

CVE-2019-13611

An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted...

8.8CVSS8.5AI score0.00828EPSS
Exploits0
OSV
OSV
added 2019/06/18 9:15 p.m.5 views

CVE-2017-8337

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an...

8.8CVSS5.9AI score0.02597EPSS
Exploits1References3
Prion
Prion
added 2019/06/18 9:15 p.m.23 views

Design/Logic Flaw

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an...

6.8CVSS8.8AI score0.02597EPSS
Exploits1References3Affected Software3
Cvelist
Cvelist
added 2019/06/18 8:47 p.m.28 views

CVE-2017-8337

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an...

8.9AI score0.02597EPSS
Exploits1References3
Hacker One
Hacker One
added 2019/04/11 9:12 a.m.131 views

Coda: Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)

Summary @fisher discovered a CSRF-related vulnerability in Coda docs by which an attacked could craft a convincing page that would make modifications to a specific document without the victim knowing. This is due to the inherent nature of Websockets not being secure by default. Although a...

0.3AI score
Exploits0
NVD
NVD
added 2019/01/28 8:29 a.m.23 views

CVE-2018-20744

The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems...

5.9CVSS5.8AI score0.00717EPSS
Exploits0References3
CNVD
CNVD
added 2018/10/19 12:0 a.m.5 views

Cisco Enterprise NFV Infrastructure Software Cross-Site Request Forgery Vulnerability

Cisco Enterprise NFV Infrastructure Software NFVIS is a suite of NVF infrastructure software platforms from Cisco. The platform can be achieved through the central coordinator and controller of the virtualization services of the full lifecycle management. A cross-site request forgery vulnerabilit...

8.8CVSS7.2AI score0.00481EPSS
Exploits0References1
OSV
OSV
added 2018/10/17 8:29 p.m.3 views

CVE-2018-15402

A vulnerability in Cisco Enterprise NFV Infrastructure Software NFVIS could allow an unauthenticated, remote attacker to conduct cross-site request forgery CSRF attacks. The vulnerability is due to improper validation of Origin headers on HTTP requests within the management interface. An attacker...

8.8CVSS5.8AI score0.00481EPSS
Exploits0References2
CVE
CVE
added 2018/10/17 8:0 p.m.53 views

CVE-2018-15402

Cisco Enterprise NFV Infrastructure Software (NFVIS) contains a CSRF vulnerability (CVE-2018-15402) arising from improper Origin header validation in the management HTTP interface. An unauthenticated, remote attacker can lure a user to a malicious page to perform actions with the user’s privilege...

8.8CVSS6.6AI score0.00481EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2018/08/28 6:11 a.m.22 views

Cross-Site Request Forgery (CSRF)

github.com/openshift/console is vulnerable to cross-site request forgery CSRF on proxied requests. The server did not perform verification for anti-CSRF tokens and source Origin header of requests. This would allow an attacker to submit requests on behalf of authenticated users via a specially...

5.4CVSS5.3AI score0.01077EPSS
Exploits1References6Affected Software1
RedHat Linux
RedHat Linux
added 2018/03/12 5:31 p.m.3 views

resteasy: Vary header not added by CORS filter leading to cache poisoning

It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances...

7.5CVSS5.8AI score0.01514EPSS
Exploits0References4
Prion
Prion
added 2018/02/05 10:29 p.m.13 views

Design/Logic Flaw

In the uncurlwsaccept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation accepting an arbitrary substring match for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full...

9.3CVSS8.7AI score0.02163EPSS
Exploits0References3Affected Software2
OSV
OSV
added 2018/02/05 10:29 p.m.3 views

CVE-2018-6651

In the uncurlwsaccept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation accepting an arbitrary substring match for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full...

8.8CVSS5.9AI score0.02163EPSS
Exploits0References3
Rows per page
Query Builder