3243 matches found
CVE-2015-7576
Ruby on Rails: The http_basic_authenticate_with path in Action Controller is vulnerable to a timing-attack bypass when verifying credentials, not using constant-time comparison. A remote attacker could determine valid usernames/passwords by measuring response times. Affected rails versions includ...
SUSE-SU-2016:0457-1 Security update for rubygem-actionpack-4_2
This update for rubygem-actionpack-42 fixes the following issues: - CVE-2016-0751: Object Leak DoS bsc963331 - CVE-2015-7581: unbounded memory growth DoS via wildcard controller routes bsc963335 - CVE-2016-0752: directory traversal and information leak in Action View bsc963332 - CVE-2015-7576:...
SUSE-SU-2016:0435-1 Security update for rubygem-activesupport-4_2
This update for rubygem-activesupport-42 fixes the following issues: - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller bsc963329 - CVE-2016-0753: Input Validation Circumvention bsc963334...
openSUSE Security Update : rubygem-actionpack-4_2 / rubygem-actionview-4_2 / rubygem-activemodel-4_2 / etc (openSUSE-2016-159)
This update for rubygem-actionpack-42, rubygem-actionview-42, rubygem-activemodel-42, rubygem-activerecord-42, rubygem-activesupport-42 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller boo963329 - CVE-2016-0752: directory...
openSUSE Security Update : rubygem-actionpack-3_2 / rubygem-activesupport-3_2 (openSUSE-2016-160)
This update for rubygem-actionpack-32, rubygem-activesupport-32 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller boo963329 - CVE-2016-0752: directory traversal and information leak in Action View boo963332 - CVE-2016-0751:...
MGASA-2016-0051 Updated phpmyadmin/phpseclib packages fix security vulnerability
Password suggestion functionality uses Math.random which does not provide cryptographically secure random numbers CVE-2016-1927. By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full pa...
PT-2016-3431 · Apache +5 · Apache Tomcat +5
Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45 Description: T...
Automattic: Possible Timing Side-Channel in XMLRPC Verification
https://github.com/Automattic/jetpack/blob/bc7a4541ef6f0e9f583376d801ab0c40cfb976c3/class.jetpack-xmlrpc-server.phpL115 I mentioned this to @daljo628 and he suggested submitting it here instead. This looks very much like a classic timing attack vulnerability. The fix would be to use hashequals...
Mageia: Security Advisory (MGASA-2015-0486)
The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
mediawiki: multiple issues
CVE-2015-8622: T117899 XSS from wikitext when $wgArticlePath='$1'. Internal review discovered an XSS vector when MediaWiki is configured with a non-standard configuration. - CVE-2015-8624: T119309 User::matchEditToken should use constant-time string comparison. Internal review discovered that...
MGASA-2015-0486 Updated mediawiki packages fix security vulnerabilities
Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.12, an XSS vector exists when MediaWiki is configured with a non-standard configuration, from wikitext when $wgArticlePath='$1' CVE-2015-8622. In MediaWiki before 1.23.12, tokens were being compared as strings, whic...
Updated mediawiki packages fix security vulnerabilities
Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.12, an XSS vector exists when MediaWiki is configured with a non-standard configuration, from wikitext when $wgArticlePath='$1' CVE-2015-8622. In MediaWiki before 1.23.12, tokens were being compared as strings, whic...
WordPress < 4.2.4 Multiple Vulnerabilities
Binary data 9031.prm...
Unspecified Vulnerability in Sensio Labs Symfony
Sensio Labs Symfony is a free French Sensio Labs , based on the MVC architecture of the PHP development framework . The framework provides commonly used functional components and tools , can be used to quickly create complex WEB program . A security vulnerability exists in the...
DEBIAN-CVE-2015-8125
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...
CVE-2015-8125
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...
CVE-2015-8125
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...
CVE-2015-8125
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...
Cross site request forgery (csrf)
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...
CVE-2015-8125
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the 1 Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or 2...