tomcat: three DIGEST authentication implementation issues

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...

tomcat: three DIGEST authentication implementation issues

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...

Tomcat/JBoss Web - Bypass of CSRF prevention filter

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery CSRF protection mechanism via a request that lacks a session identifier...

Moderate: Red Hat Security Advisory: tomcat6 security update

Updated tomcat6 packages that fix multiple security issues are now available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System CVSS base score...

Tomcat/JBoss Web - Bypass of CSRF prevention filter

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery CSRF protection mechanism via a request that lacks a session identifier...

tomcat: three DIGEST authentication implementation issues

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to...

Tomcat/JBoss Web - Bypass of CSRF prevention filter

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery CSRF protection mechanism via a request that lacks a session identifier...

Ubuntu Update for tomcat7 USN-1685-1

Check for the Version of tomcat7 OpenVAS Vulnerability Test $Id: gbubuntuUSN16851.nasl 8526 2018-01-25 06:57:37Z teissa $ Ubuntu Update for tomcat7 USN-1685-1 Authors: System Generated Check Copyright: Copyright c 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free softwar...

CVE-2012-5868

WordPress 3.4.2 does not invalidate a wordpresssec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack...

Cross site request forgery (csrf)

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery CSRF protection mechanism via a request that lacks a session identifier...

CVE-2012-4431

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery CSRF protection mechanism via a request that lacks a session identifier...

Apache Tomcat 7.0.x < 7.0.32 CSRF Filter Bypass

Binary data 6644.pasl...

tomcat -- bypass of CSRF prevention filter

The Apache Software Foundation reports: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request...

WordPress <= 3.4.2

The attackers can discover valid session identifiers via a brute-force attack, because this WordPress version does not invalidate a wordpresssec session cookie upon an administrator's logout action. Solution The application should keep track of session identifiers where a user has explicitly logg...

Scientific Linux Security Update : php on SL4.x i386/x86_64

It was discovered that the PHP escapeshellcmd function did not properly escape multi-byte characters which are not valid in the locale used by the script. This could allow an attacker to bypass quoting restrictions imposed by escapeshellcmd and execute arbitrary commands if the PHP script was usi...

PYSEC-2012-33

Session fixation vulnerability in OpenStack Dashboard Horizon folsom-1 and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie...

CVE-2011-4136

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that...

Mandriva Update for openssl MDVSA-2010:248 (openssl)

Check for the Version of openssl OpenVAS Vulnerability Test Mandriva Update for openssl MDVSA-2010:248 openssl Authors: System Generated Check Copyright: Copyright c 2010 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it unde...

OpenSSL 1.0.0 < 1.0.0c Multiple Vulnerabilities

The version of OpenSSL installed on the remote host is prior to 1.0.0c. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.0c advisory. - OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allo...

CVE-2008-7270

CVE-2008-7270 affects OpenSSL before 0.9.8j when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, allowing an attacker to modify the session-cached ciphersuite and potentially force a disabled cipher. The issue is triggered by session cache handling and is distinct from CVE-2010-4180. Public d...