5274 matches found
CVE-2018-14730
The CVE-2018-14730 entry concerns Browserify-HMR. Affected component: the WebSocket server used for Hot Module Replacement. Root cause: origin validation is missing, allowing any origin to receive HMR messages via ws://127.0.0.1:3123/ (or similar), enabling an attacker to access a developer’s cod...
CVE-2018-14732
CVE-2018-14732 affects webpack-dev-server before 3.1.6. The WebSocket server used for Hot Module Replacement does not validate the request origin, allowing any origin (including ws://127.0.0.1:8080/) to receive HMR messages. This can enable an attacker to access a developer’s source code from a p...
Valve: XSS in steam react chat client
The Steam chat client both sends and receives bbcode format chat messages. These map to HTML elements, and notably the url bbcode tag is supported for arbitrary URLs. React has strong XSS mitigations but does not mitigate javascript: URI based XSS. This is rather difficult to exploit as the clien...
Denial Of Service (DoS)
github.com/nanomsg/mangos is vulnerable to denial of service. The websocket module does not limit the size of messages which would allow an attacker to submit large messages and cause a denial of service condition on the server...
Debian DLA-1491-1 : tomcat8 security update
Two security issues have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. CVE-2018-8034 The host name verification when...
CoinHive intelligent web mining two or three thing-vulnerability warning-the black bar safety net
Mining has now become black hat profit, the main means of recently Internet by chance found part of the website is hung it to exist after the web mining behavior, different from the conventional virusoperating systemin the mining acts, pages mainly on the site hanging on the malicious JS scripts,...
Atmosphere 1.x / 2.x Cross Site Scripting Vulnerability
Async-IO.org Atmosphere suffers from a cross site scripting vulnerability. Versions affected include 2.4.0 through 2.4.28, 2.3.0 through 2.3.9, 2.2.0 through 2.2.12, 2.1.0 through 2.1.13, 2.0.0 through 2.0.11, and 1.0.0 through 1.0.20. COMPASS SECURITY ADVISORY...
asterisk -- Remote crash vulnerability in HTTP websocket upgrade
The Asterisk project reports: There is a stack overflow vulnerability in the reshttpwebsocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackers request causes Asterisk to run out of stack...
Amazon Linux AMI : tomcat8 (ALAS-2018-1056)
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore,...
Amazon Linux AMI : tomcat7 / tomcat80 (ALAS-2018-1055)
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore,...
Important: tomcat7, tomcat80
Issue Overview: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...
Apache Tomcat 'Hostname Verification' Security Bypass Vulnerability - Windows
Apache Tomcat is prone to a security bypass vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat";...
Apache Tomcat 'Hostname Verification' Security Bypass Vulnerability - Linux
Apache Tomcat is prone to a security bypass vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat";...
Design/Logic Flaw
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
CVE-2018-8034
CVE-2018-8034 concerns missing host name verification over TLS in the WebSocket client of Apache Tomcat. The issue affects multiple Tomcat branches and versions (7.0.35–7.0.88, 8.0.0.RC1–8.0.52, 8.5.0–8.5.31, 9.0.0.M1–9.0.9). Impact: an attacker on the local network could bypass host name verific...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88...