3242 matches found
CVE-2023-40021 Timing Attack Reveals CSRF Tokens in oppia
Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator ==, which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by...
CVE-2023-40343
Jenkins Tuleap Authentication Plugin 1.1.20 and earlier uses a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token...
PT-2023-27216 · Oppia · Oppia
Name of the Vulnerable Software and Affected Versions: Oppia versions prior to 3.3.2-hotfix-2 Description: Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator ==, which is not safe against timing attacks. B...
Chimera - Automated DLL Sideloading Tool With EDR Evasion Capabilities
While DLL sideloading can be used for legitimate purposes, such as loading necessary libraries for a program to function, it can also be used for malicious purposes. Attackers can use DLL sideloading to execute arbitrary code on a target system, often by exploiting vulnerabilities in legitimate...
Timing Attack
github.com/answerdev/answer is vulnerable to Timing Attacks. The vulnerability exists because the application does not have a constant login attempt response time. which allows an attacker to brute force valid account email addresses...
SUSE SLES12 Security Update : compat-openssl098 (SUSE-SU-2023:3096-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3096-1 advisory. - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out...
Important: openssl-snapsafe
Issue Overview: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number o...
openssl: timing attack in RSA Decryption implementation
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages...
RHEL 8 : edk2 (RHSA-2023:4128)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:4128 advisory. EDK Embedded Development Kit is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware f...
GO-2023-1733 Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib
Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib...
GO-2023-1732 Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib
Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib...
GO-2023-1859 Padding oracle vulnerability in github.com/lestrrat-go/jwx
AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data...
DEBIAN-CVE-2023-34414
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a sit...
github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack
Summary Decrypting AES-CBC encrypted JWE has Potential Padding Oracle Attack Vulnerability. Details On v2.0.10, decrypting AES-CBC encrypted JWE may return an error "failed to generate plaintext from decrypted blocks: invalid padding":...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...
Mozilla: Click-jacking certificate exceptions through rendering lag
The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user...