52 matches found
GHSA-HMG4-WWM5-P999 Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. Patches Patched in 14.3.2 and 15.1.2. Workarounds None available...
CVE-2025-24011
Summary: CVE-2025-24011 affects Umbraco CMS (.NET). From 14.0.0 up to, but not including, 14.3.2 and 15.1.2, an attacker can determine whether an account exists by analyzing response codes and timing of the management API. Impact: information exposure; no availability/integrity impact claimed. Ve...
Law Enforcement Deanonymizes Tor Users
The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay. Tor has written about this. Hacker News thread...
Tor anonymity compromised by law enforcement. Is it still safe to use?
Despite people generally considering the Tor network as an essential tool for anonymous browsing, german law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months. Before we go into the what the agencies did, let's take a look at some...
PT-2022-26145 · Unknown · Zulip Server
Name of the Vulnerable Software and Affected Versions: Zulip Server versions 5.0 through 5.6 Description: Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management SCIM account management enabled, it might theoretically be possible for an...
CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity ManagementSCIM account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be...
CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity ManagementSCIM account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be...
CVE-2022-41914 Non-constant-time SCIM token comparison in Zulip Server
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity ManagementSCIM account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be...
Qlik Community 信息泄露漏洞
Qlik Community is a data analytics solution. Qlik Community suffers from an information disclosure vulnerability that originates from allowing a remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authenticated requests to an affected system...
CVE-2020-12788
CMAC verification functionality in Microchip Atmel ATSAMA5 products is vulnerable to vulnerable to timing and power analysis attacks...
Code injection
CMAC verification functionality in Microchip Atmel ATSAMA5 products is vulnerable to vulnerable to timing and power analysis attacks...
CVE-2020-12788
CMAC verification functionality in Microchip Atmel ATSAMA5 products is vulnerable to vulnerable to timing and power analysis attacks...
CVE-2020-12788
The CVE concerns CMAC verification in Microchip Atmel ATSAMA5 products. The issue stems from side-channel weaknesses (timing and power analysis) during CMAC verification, which could potentially expose sensitive information. Connected documents reiterate the affected target as ATSAMA5, but do not...
NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs
Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer. DubbedNetCAT , short for Network Cach...
CVE-2018-10099
Google Monorail before 2018-04-04 has a Cross-Site Search XS-Search vulnerability because CSV downloads are affected by CSRF, and calculations of download times for requests with duplicated columns can be used to obtain sensitive information about the content of bug reports...
UBUNTU-CVE-2018-10844
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets...
UBUNTU-CVE-2018-10845
It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets...
OpenSSL 0.9.x CBC Error Information Leakage Weakness
No description provided by source. source: http://www.securityfocus.com/bid/6884/info A side-channel attack against implementations of SSL exists that, through analysis of the timing of certain operations, can reveal sensitive information to an active adversary. This information leaked by...
SSL/TLS: CBC padding timing attack (lucky-13)
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct...
SSL/TLS: CBC padding timing attack (lucky-13)
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct...