Cross site scripting

LogRhythm Platform Manager PM 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking CSWH. If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable P...

Design/Logic Flaw

LogRhythm Platform Manager PM 7.4.9 has Incorrect Access Control. Users within LogRhythm can be delegated different roles and privileges, intended to limit what data and services they can interact with. However, no access control is enforced for WebSocket-based communication to the PM application...

CVE-2020-25094

LogRhythm Platform Manager 7.4.9 allows Command Injection. To exploit this, an attacker can inject arbitrary program names and arguments into a WebSocket. These are forwarded to any remote server with a LogRhythm Smart Response agent installed. By default, the commands are run with LocalSystem...

CVE-2020-25095

LogRhythm Platform Manager PM 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking CSWH. If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable P...

CVE-2020-25096

CVE-2020-25096 affects LogRhythm Platform Manager (PM) 7.4.9 and describes an Incorrect Access Control issue where WebSocket-based communication to the PM application server is not protected by access control, allowing a low-privilege user to interact with any back-end component that has a LogRhy...

CVE-2020-25096

LogRhythm Platform Manager PM 7.4.9 has Incorrect Access Control. Users within LogRhythm can be delegated different roles and privileges, intended to limit what data and services they can interact with. However, no access control is enforced for WebSocket-based communication to the PM application...

LogRhythm Platform Manager (PM) Cross-Site Request Forgery Vulnerability

Logrhythm Platform Manager is a component of the Logrhythm application from Logrhythm USA. The component is responsible for centralized management of alerts, notifications and case and security event management. Supports real-time dashboards, SmartResponse operations and reports. LogRhythm Platfo...

Logrhythm Platform Manager Injection Vulnerability

Logrhythm Platform Manager is a component of the Logrhythm application from Logrhythm USA. The component is responsible for centralized management of alerts, notifications and case and security event management. Supports real-time dashboards, SmartResponse actions and reports. An injection...

CVE-2020-14368

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery CSRF and consequently allowing a cross-site WebSocket hijack on Thei...

CVE-2020-14368

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery CSRF and consequently allowing a cross-site WebSocket hijack on Thei...

Cross site request forgery (csrf)

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery CSRF and consequently allowing a cross-site WebSocket hijack on Thei...

CVE-2020-14368

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery CSRF and consequently allowing a cross-site WebSocket hijack on Thei...

CVE-2020-14368

CVE-2020-14368 affects Eclipse Che (versions prior to 7.14.0) when cookie-based authentication is configured, enabling CSRF due to Theia IDE not setting SameSite correctly and enabling a cross-site WebSocket hijack on the /services endpoint. Attack scenario involves MITM and tricking the user int...

EulerOS 2.0 SP8 : libvncserver (EulerOS-SA-2020-2518)

According to the version of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker cou...

CVE-2020-29666

In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value...

Directory traversal

In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value...

CVE-2020-29666

The CVE-2020-29666 issue affects Lan ATMService M3 ATM Monitoring System 6.1.0. A directory-listing vulnerability in the web interface allows a remote attacker to read log files under /websocket/logs/ that contain a user cookie and the predefined developer cookie value. The underlying root cause ...

Lan ATMService M3 ATM 安全漏洞

Lan ATMService M3 ATM Monitoring System is a software for monitoring ATM machines from the Russian company Lan ATMService. A directory traversal vulnerability exists in Lan ATMService M3 ATM Monitoring System 6.1.0. An attacker can use this vulnerability to view log files in /websocket/logs/ that...

DEBIAN-CVE-2020-13543

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability...

CVE-2020-13543

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability...