78 matches found
JVN#57806517: Android App "Tootdon for Mastodon" fails to verify SSL server certificates
Android App "Tootdon for Mastodon" provided by Tsukurito, Inc. fails to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to obtain and/or alter a content of communication. Solution Update the Application Update to the latest version according to the...
JVN#11622218: iChain Insurance Wallet App for iOS vulnerable to directory traversal
iChain Insurance Wallet App for iOS provided by iChain, Inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Impact A remote attacker may obtain an arbitrary file such as a file related to an application on iOS device...
Critical OkCupid Flaw Exposed Daters to App Takeovers
A critical flaw in the OkCupid app has been found that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application. This is separate from the OKCupid account-takeover incident reported earlier in the week, but it does fit the...
Cross site request forgery (csrf)
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could explo...
JVN#77409513: DHC Online Shop App for Android fails to verify SSL server certificates
DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provid...
JVN#83671755: KINEPASS App fails to verify SSL server certificates
KINEPASS App provided by T・JOY CO.,LTD fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the developer...
RBB SPEED TEST App fails to verify SSL server certificates
Overview RBB SPEED TEST App provided by IID, Inc. fails to verify SSL server certificates. DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attacker to...
JVN#82619692: Access CX App fails to verify SSL server certificates
Access CX App provided by NISSAN SECURITIES CO., LTD. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by...
JVN#43529183: Jetstar App for iOS fails to verify SSL server certificates
Jetstar App for iOS provided by Jetstar Airways Pty Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update to the latest version according to the information provided ...
Apple iOS v9.x - Application Update Loop Pass Code Bypass
Document Title: =============== Apple iOS v9.x - Application Update Loop Pass Code Bypass References: =========== http://www.vulnerability-lab.com/getcontent.php?id=1711 View Video: https://www.youtube.com/watch?v=V-9lE1L3nq0 Apple Follow-up ID: 631627909 Advisory:...
Apple iOS v9.x - Application Update Loop Pass Code Bypass
Document Title: =============== Apple iOS v9.x - Application Update Loop Pass Code Bypass References: =========== http://www.vulnerability-lab.com/getcontent.php?id=1711 View Video: https://www.youtube.com/watch?v=V-9lE1L3nq0 Apple Follow-up ID: 631627909 Advisory:...
Apple iOS v9.x - Application Update Loop Pass Code Bypass
Document Title: =============== Apple iOS v9.x - Application Update Loop Pass Code Bypass References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1710 Apple Follow-up ID: 631627909 Video: http://www.vulnerability-lab.com/getcontent.php?id=1711 Vulnerability...
Good for Enterprise 2.2.2.1611 - XSS Vulnerability
Exploit for hardware platform in category web applications The vulnerable versions are v2.2.2.1611 and earlier Proof of Concept: HTML Email including the following payload will execute Javascript statements when the victim open the email using the vulnerable version. Payload: alert'XSS Here'...
Critical: Red Hat Security Advisory: rubygem-activesupport security update
An updated rubygem-activesupport package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.0. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed...
PT-2011-05: Cross-Site Scripting in Koha Library Software
Koha Library Software – library automation system. Vulnerability Description Positive Research Center detects XSS in Koha Library Software. Application insufficiently verifies incoming data from users in the following scripts: opac-downloadcart.pl opac-addbybiblionumber.pl opac-downloadshelf.pl...
Fedora Update for Miro FEDORA-2008-11598
Check for the Version of Miro OpenVAS Vulnerability Test Fedora Update for Miro FEDORA-2008-11598 Authors: System Generated Check Copyright: Copyright c 2009 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under the terms o...
WinAmp contains a flaw in metadata handling in .mpa and .mp4 files
Overview WinAmp contains a flaw which may allow an attacker to crash WinAmp remotely via .mpa or .mp4 files. Description Nullsoft's WinAmp Player, a popular multimedia system for Microsoft Windows, contains a flaw in the handling of the metadata called "tags" contained within .mpa and .mp4 files...
BEA WebLogic Server fails to discard cached authentication information when web applications are updated
Overview The BEA WebLogic server contains a vulnerability that may allow authenticated users to bypass authentication for a given web application when the application has been updated. Description The BEA WebLogic Server provides a feature that allows it to store user authentication information f...