Regular Expression Denial of Service (ReDoS)

Overview deno is an a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the upgradeWebSocket function, which contains regexes in the form of /s,s/...

USN-5824-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing,...

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan RAT to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control C...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

SUSE SLES15 / openSUSE 15 Security Update : rubygem-websocket-extensions (SUSE-SU-2023:0127-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:0127-1 advisory. - websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser ma...

Information Disclosure

firefox is vulnerable to Information Disclosure. A mishandled security check when creating a WebSocket in a WebWorker caused the content security Policy connect-src header to be ignored leading to connections to be restricted from inside WebWorkers...

SUSE-SU-2023:0127-1 Security update for rubygem-websocket-extensions

This update for rubygem-websocket-extensions fixes the following issues: - CVE-2020-7663: Fixed an excessive resource consumption when parsing crafted message headers sent by an attacker bsc1172445...

MGASA-2023-0018 Updated firefox packages fix security vulnerability

A vulnerability was found in NSS. The NSS client auth crashes without a user certificate in the database, leading to a segmentation fault or crash CVE-2022-3479. An out of date library libusrsctp contained vulnerabilities that could potentially be exploited CVE-2022-46871. By confusing the browse...

Oracle Linux 7 : firefox (ELSA-2023-0296)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-0296 advisory. 102.7.0-1.0.1 - Remove upstream references Orabug: 30143292 - Update distribution for Oracle Linux Orabug: 30143292 - Add firefox-oracle-default-prefs....

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers

The Mozilla Foundation Security Advisory describes this flaw as: A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers...

USN-5816-1 firefox vulnerabilities

Niklas Baumstark discovered that a compromised web child process of Firefox could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. An attacker could potentially exploits this to obtain sensitive information. CVE-2023-23597 Tom...

CVE-2021-43445

ONLYOFFICE WebSocket authentication can be bypassed due to a default JWT signing key, affecting all versions up to 2021-11-08. The flaw is incorrect access control in the ONLYOFFICE document editor’s WebSocket service, allowing an unauthenticated attacker to gain privileged access by using the de...

ONLYOFFICE 授权问题漏洞

Ascensio System ONLYOFFICE is an office software from Ascensio System, Latvia. A security vulnerability exists in all versions of ONLYOFFICE prior to 2021-11-08 that stems from being affected by incorrect access control. An attacker can use the default JWT signature key to authenticate to the Web...

Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerabilities (USN-5816-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5816-1 advisory. Niklas Baumstark discovered that a compromised web child process of Firefox could disable web security opening restrictions, leading to a new...