OESA-2024-2057 mozjs78 security update

SpiderMonkey is the code-name for Mozilla Firefox's C++ implementation of JavaScript. It is intended to be embedded in other applications that provide host environments for JavaScript. Security Fixes: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security...

GO-2022-0512 DoS in KubeEdge's Websocket Client in package Viaduct in github.com/kubeedge/kubeedge

DoS in KubeEdge's Websocket Client in package Viaduct in github.com/kubeedge/kubeedge...

CVE-2024-23168

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution...

PT-2024-19694 · Xiexe · Xiexe Xsoverlay

Name of the Vulnerable Software and Affected Versions: Xiexe XSOverlay versions prior to build 647 Description: The issue allows non-local websites to send malicious commands to the WebSocket API, resulting in arbitrary code execution. Recommendations: For versions prior to build 647, update to...

Medium: mod_http2

Issue Overview: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Affected Packages: modhttp2 Issue Correction: Run dnf update modhttp2 --releasever 2023.5.202408...

Medium: mod_http2

Issue Overview: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Affected Packages: modhttp2 Issue Correction: Run dnf update modhttp2 --releasever 2023.5.202408...

CVE-2024-23168

CVE-2024-23168 affects Xiexe XSOverlay (desktop overlay for OpenVR) prior to build 647. The issue arises from handling commands sent via the WebSocket API by non-local websites, enabling arbitrary code execution. Documented impact is high (CVSS 3.1: 9.8; Confidentiality, Integrity, Availability: ...

CVE-2024-23168

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution...

CVE-2024-23168

Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution...

Security Updates for Azure CycleCloud (August 2024)

The Azure CycleCloud product is missing security updates. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists due to a disclosure of the storage credentials. An authenticated, remote attacker can exploit this to bypass authentication and...

WebSocket Detected

This is an informational plugin to inform the user that the scanner has detected the usage of WebSockets on the target web application. No source data...

PT-2024-29448 · Havoc · Havoc

The affected software is Havoc 2, specifically version 0.7. This version is affected by an Unauthenticated Server-Side Request Forgery SSRF issue in demon callback handling, allowing attackers to send arbitrary network traffic from the team server, potentially leading to Remote Code Execution RCE...

Path Traversal

@nuxt/devtools is vulnerable to Path Traversal. The vulnerability is due to missing authentication on the getTextAssetContent RPC function and a lack of Origin checks on the WebSocket handler, allowing attackers to interact with a locally running devtools instance and exfiltrate data...

CVE-2024-23657

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attack...

CVE-2024-23657 Path Traversal: '../filedir' in Nuxt Devtools

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attack...

CVE-2024-23657 Path Traversal: '../filedir' in Nuxt Devtools

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attack...

CVE-2024-23657

CVE-2024-23657 — Nuxt Devtools: The issue is a path traversal vulnerability in Nuxt Devtools via getTextAssetContent, combined with lack of Origin checks on the WebSocket, enabling an attacker to read arbitrary files from the devtools host and, in some configurations, leak the devtools authentica...

GHSA-RCVG-RGF7-PPPV Nuxt Devtools has a Path Traversal: '../filedir'

Summary Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this...

Nuxt Devtools has a Path Traversal: '../filedir'

Summary Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this...

K000140581: Apache mod_proxy vulnerability CVE-2024-36387

Security Advisory Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Impact There is no impact; F5 products are not affected by this vulnerability...