CVE-2021-37840

aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking CSWH involving OS commands within WebSocket messages at a ws:// URL for /webssh the victim must have configured Terminal with at least one host. Successful exploitation depends on the browser used by a potential victim e.g., exploitatio...

aaPanel 安全漏洞

aaPanel is an open source hosting control panel. A security vulnerability exists in aaPanel LinuxStable 6.8.12, which allows attackers to conduct cross-site WebSocket hijacking CSWH and OS commands in WebSocket messages...

CVE-2020-16839

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request...

Cross site request forgery (csrf)

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request...

多款 Crestron 设备授权问题漏洞

Crestron Electronics Crestron DM-NVX-DIR and DM-NVX-ENT are both virtual switching devices from Crestron Electronics, Inc. An authorization issue vulnerability exists in multiple Crestron devices where an attacker can send an unauthenticated Websocket request to change a password because the devi...

Moderate: Red Hat Security Advisory: OpenShift Virtualization 4.8.0 Images

Red Hat OpenShift Virtualization release 4.8.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which give...

python-eventlet: improper handling of highly compressed data and memory allocation with excessive size allows DoS

A flaw was found in eventlet. If an unauthenticated user manages to send large websocket frames or highly compressed data frames that can lead to memory exhaustion. An attacker could use this flaw to cause a denial of service DoS...

CVE-2020-16839

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request...

CVE-2020-16839

This CVE affects Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices prior to patch DM-XIO/1-0-3-802. The root issue is an unauthenticated WebSocket request that allows changing the device password, indicating a lack of proper permission validation on the WebSocket API. The vulnerability is...

PortSwigger Web Security: RCE of Burp Scanner / Crawler via Clickjacking

A vulnerability was discovered in Burp Suite, a web application security testing tool. The vulnerability allowed an attacker to exploit a known XSS vulnerability in the embedded Chrome browser used by Burp Suite. By leveraging this vulnerability, an attacker could execute arbitrary commands on th...

CVE-2020-7662

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

Dell powerflex presentation server data forgery issue vulnerability

DELL Dell EMC PowerFlex is an application from Dell of America DELL, Inc. Dell powerflex presentation server data forgery issue vulnerability, which originates from the product's websocket in the Presentation Server/WebUI does not do user identity An attacker could hijack the Websocket to trick...

CVE-2021-32755

Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new...

CVE-2021-32755

Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new...

Design/Logic Flaw

Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new...

Wire 信任管理问题漏洞

Wire is a chat software by an individual developer. The software supports Web, WindowsiOS, Android, and OS X platforms, has a group feature, allows voice calls, sends photos as well as its original greeting method PING. A security vulnerability exists in Wire that stems from a request...

CVE-2021-21588

Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead ...

CVE-2021-21588

Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead ...

Cross site scripting

Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead ...

CVE-2021-21588

Dell EMC PowerFlex, v3.5.x contain a Cross-Site WebSocket Hijacking Vulnerability in the Presentation Server/WebUI. An unauthenticated attacker could potentially exploit this vulnerability by tricking the user into performing unwanted actions on the Presentation Server and perform which may lead ...