CVE-2023-2886 Cross-Site WebSocket Hijacking in CBOT's Chatbot

Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7...

Malicious code in client-ws-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 32231907789db551e533776ab68a4a01f4029a0723291d70d65927559eb647d2 The OpenSSF Package Analysis project identified 'client-ws-app' @ 5.20.20 npm as malicious. It is considered malicious because: - The package...

Apache Tomcat 9.0.0.M1 < 9.0.10 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat9.0.10security-9 advisory. - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by...

springframework: DoS with STOMP over WebSocket

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...

Amazon Linux 2 : tomcat (ALAS-2023-2047)

The version of tomcat installed on the remote host is prior to 7.0.76-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2047 advisory. A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker...

Important: tomcat

Issue Overview: A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could...

Debian: Security Advisory (DLA-3420-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian dla-3420 : golang-github-gorilla-websocket-dev - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3420 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3420-1 [email protected] https://www.debian.org/lts/security/...

DLA-3420-1 golang-websocket - security update

Bulletin has no description...

[SECURITY] [DLA 3420-1] golang-websocket security update

Debian LTS Advisory DLA-3420-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany May 14, 2023 https://wiki.debian.org/LTS Package : golang-websocket Version : 1.4.0-1+deb10u1 CVE ID : CVE-2020-27813 An integer overflow vulnerability exists in golang-websocket, a Go...

CVE-2023-28361

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

CVE-2023-28361

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

Cross site scripting

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

Lack of security consideration leads to multiple critical weaknesses

Introduction This report serves more as a suggestion to improve security, rather than fixing any single "vulnerability". I've given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue. Due to the nature of a package, being able to...

CVE-2023-28361

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

CVE-2023-28361

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

PT-2023-21672 · Ubiquiti · Unifi Os

Name of the Vulnerable Software and Affected Versions: UniFi OS versions 2.5 and earlier Description: A Cross-site WebSocket Hijacking CSWSH issue allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage. The affected products...

CVE-2023-28361

Vulnerability (CVE-2023-28361) : A Cross-site WebSocket Hijacking (CSWSH) issue in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by tricking a UniFi OS user into visiting a malicious page. Affected products include Cloud Key Gen2, Cloud Key Gen2 Plus...

OTRS 8.0.x < 8.0.32 Information Disclosure / DoS Vulnerability (OSA-2023-03)

OTRS is prone to a information disclosure and denial of service DoS vulnerability via websocket push events. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

Mattermost Server < 7.1.6 / 7.2.x < 7.7.2 Information Disclosure (MMSA-2023-00138)

The version of Mattermost Server running on the remote host is prior to 7.1.6 or 7.2.x prior to 7.7.2. It is, therefore, affected by an information disclosure vulnerability. When running in a High Availability configuration, Mattermost fails to sanitize some of the userupdated and postdeleted...