jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS

A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability...

Malicious Package

Overview channel-websocket is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

Malicious code in superset-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71368c8e29fe057fcc95335932ec6248b0a21541c5be1c4f54aa8fa03167a152 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6354 Malicious code in superset-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71368c8e29fe057fcc95335932ec6248b0a21541c5be1c4f54aa8fa03167a152 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in hb-websocket-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b7dec13e28e581a9f8949e7c49dcc4ff1e9957ae0b21e4d422b33d6ac2e8c724 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3572 Malicious code in hb-websocket-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b7dec13e28e581a9f8949e7c49dcc4ff1e9957ae0b21e4d422b33d6ac2e8c724 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in moralis-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14634273e48d41bdb2458210235b37dfd6b2533ee98bbb97d873674841041de0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4696 Malicious code in moralis-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14634273e48d41bdb2458210235b37dfd6b2533ee98bbb97d873674841041de0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Spring Tips: Learn Spring for GraphQL (parts 5 and 6 of an ongoing series)

Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...

GHSA-GRVM-GCQF-GH8Q Xen Orchestra Mishandles Authorization

Xen Orchestra with xo-web through 5.80.0 and xo-server through 5.84.0 mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit,...

Xen Orchestra Mishandles Authorization

Xen Orchestra with xo-web through 5.80.0 and xo-server through 5.84.0 mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit,...

GHSA-6H8C-GW33-CJM2 DevSpace vulnerable to remote code execution

The UI in DevSpace 4.13.0 allows web sites to execute actions on pods on behalf of a victim because of a lack of authentication for the WebSocket protocol. This leads to remote code execution...

DevSpace vulnerable to remote code execution

The UI in DevSpace 4.13.0 allows web sites to execute actions on pods on behalf of a victim because of a lack of authentication for the WebSocket protocol. This leads to remote code execution...

The vulnerability of the Apache Tomcat application server arises from errors that occur when both the WebSocket connection is terminated and WebSocket messages are sent at the same time. This allows an attacker to disclose sensitive information or carry out other malicious actions.

The vulnerability of the Apache Tomcat application server is related to errors that occur when both the WebSocket connection is closed and a WebSocket message is sent. Exploiting this vulnerability allows a malicious actor to disclose sensitive information or cause other adverse effects...

CVE-2017-2921

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An...

CVE-2022-25227

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing CORS vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE...

Cross site scripting

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing CORS vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE...

Spring for GraphQL 1.0 Release

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. Its been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the...

CVE-2022-22971

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...

GHSA-RP9P-863F-9C4H Cross-site Scripting in Apache ActiveMQ

Multiple cross-site scripting XSS vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via 1 the refresh parameter to PortfolioPublishServlet.java aka demo/portfolioPublish or Market Data Publisher, or vectors involving 2...