TP-LINK TL-WR940N 安全特征问题漏洞

The TP-LINK TL-WR940N is a wireless router from China P&L TP-LINK. The TP-Link TL-WR940N suffers from a Security Feature Issue vulnerability that stems from a lack of sufficient randomness in the serial number used for session management. An attacker could exploit the vulnerability to bypass...

K10065173: TMM TLS virtual server vulnerability CVE-2019-6593

Security Advisory Description A BIG-IP virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle MITM attack, despite the attacker...

aEnrich eHRD Learning Management Key Performance Indicator System 安全漏洞

The aEnrich eHRD Learning Management Key Performance Indicator System 5+ is a web-based Learning Management System LMS from aEnrich Corporation in China. A security vulnerability exists in the aEnrich eHRD Learning Management Key Performance Indicator System version 5.x. The vulnerability stems...

CVE-2021-45915

In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator...

Design/Logic Flaw

In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator...

CVE-2021-3814

It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure...

PT-2022-07: Insufficient authentication in Veeam Backup & Replication

The vulnerability was identified in Veeam Backup & Replication versions 9.5, 10, 11. The discovered vulnerability allows an attaker to authenticate using a NULL-session. This may lead to gaining control over the target system. Vulnerability status: Confirmed by vendor Date of vulnerability...

MEDIA NAVI Inc SMACom 安全漏洞

MEDIA NAVI Inc SMACom is a software that allows you to transfer photos and movies taken by your smartphone to your PC without using a USB cable or SD card. A security vulnerability exists in MEDIA NAVI Inc SMACom, which originated when MEDIA NAVI Inc SMACom v1.2 was found to contain an insecure...

U.S. Dept Of Defense: ████████ portal is open to enumeration once authenticated. Session ID's appear static. All PII available once a valid session ID is found.

Description: Once Authenticated to █████████ portal with valid credentials you can type in another members session id and you can see any service members data as if you were authenticated as them. https://█████████ I did not see if there was a way to dump all session id's, but wouldn't be too...

Cisco Data Center Network Manager Server-Side Request Forgery Vulnerability

Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A server-side request forgery vulnerability exists in the session authentication...

Cisco Data Center Network Manager 代码问题漏洞

Cisco Data Center Network Manager DCNM is a suite of data center network managers from Cisco that provides multiprotocol management of the network and troubleshooting of switch operating conditions and performance. A server-side request forgery vulnerability exists in the session authentication...

Apache Airflow Webserver Unauthorized Access Vulnerability

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. A security vulnerability exists in Apache Airflow Webserver versions prior to 1.10....

Cross-Site Request Forgery (CSRF)

fieldtest is vulnerable to cross-site request forgery CSRF. The library does not verify authenticity of non-session based authentication...

Cross-site Request Forgery (CSRF)

Overview fieldtest is an A/B testing library for Rails. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF with non-session based authentication methods. Remediation Upgrade fieldtest to version 0.4.0 or higher. References - GitHub Issue...

Cross-site Request Forgery (CSRF)

Overview pghero is a performance dashboard for Postgres. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF. The Ruby gem is vulnerable with non-session based authentication methods like basic authentication - session-based authentication methods like Devise's...

Field Test CSRF vulnerability

The Field Test dashboard is vulnerable to cross-site request forgery CSRF with non-session based authentication methods in versions v0.2.0 through v0.3.2. Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based...

CSRF Vulnerability with Non-Session Based Authentication

The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods. Impact The PgHero dashboard is vulnerable to cross-site request forgery CSRF. This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session...

Log Injection

generator-jhipster is vulnerable to log injection. The vulnerability is possible because it uses public API for creating log entries for invalid password reset attempts to the user-provided emails during jwt or session authentication, allowing an attacker to forge log entries...

CVE-2020-4072

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem...

CVE-2020-4072

In generator-jhipster-kotlin version 1.6.0 log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html This problem...