CVE-2023-4177

CVE-2023-4177 affects EmpowerID up to version 7.205.0.0, involving unknown processing within the Multi-Factor Authentication Code Handler that can lead to information disclosure. The issue has high confidentiality impact with low attack complexity and low privileges required; exploitation is desc...

CVE-2023-34337 Inadequate Encryption Strength

AMI SPx contains a vulnerability in the BMC where a user may cause an inadequate encryption strength by hash-based message authentication code HMAC. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and availability...

zip4j: does not always check the MAC when decrypting a ZIP archive

A flaw was found in Zip4j. In this issue, it does not always check the MAC when decrypting a ZIP archive...

Improper Signature Validation

Zip4j is vulnerable to Improper Signature Validation. The vulnerability is due to improper AES Message Authentication Code MAC validation when the MAC signature got corrupted in an encrypted ZIP archive. This flaw can result in an attacker modifying the archive without the library detecting the...

SUSE CVE-2008-0960

SNMPv3 HMAC verification in 1 Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; 2 UCD-SNMP; 3 eCos; 4 Juniper Session and Resource Control SRC C-series 1.0.0 through 2.0.0; 5 NetApp aka Network Appliance Data ONTAP 7.3RC1 and 7.3RC2; 6 SNMP Research before 16.2; 7...

DEBIAN-CVE-2023-22899

Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive...

Zip4j 访问控制错误漏洞

Zip4j is a Java library for zip files and streams from the individual developer Srikanth Reddy Lingala. A security vulnerability exists in Zip4j that stems from the use of Zip4j that does not always check the MAC when decrypting ZIP archives...

CVE-2022-39222

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with public clients and by extension, clients accepting tokens issued by those Dex instances are affected by this vulnerability if they are running a version prior to 2.35.0. An attacker can...

OESA-2022-1953 ntp security update

NTP is a protocol designed to synchronize the clocks of computers over a network, NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF. Security Fixes: ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x befo...

SAMSUNG mTower 缓冲区错误漏洞

SAMSUNG mTower is a new Trusted Execution Environment TEE from Samsung South Korea. A security vulnerability exists in SAMSUNG mTower versions prior to 0.3.0, which stems from a vulnerable buffer access with an incorrect length value in its TEEMACUpdate function that allows a trusted application ...

ASP.NET ViewState Remote Code Execution

The ViewState is a parameter specific to the ASP.NET framework, it's used as a breadcrumb trail when the user navigates the application preserving values and controls between different web pages. Present on the pages in the viewstate parameter, all the values are serialized and encoded in base64 ...

GHSA-FJ6F-6933-839J Non-constant time HMAC comparison

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value. Jenkins 2.219, LTS 2.204.2 now use...

Checkbox Survey 6.12 <= 6.18 RCE

Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a VSTATE argument, which it then deserializes using LosFormatter. Because this data is manually handled by the...

GHSA-4FV4-CQ5V-X45M Improper Authentication in Apache MyFaces

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...

GHSA-QC2P-Q7X9-V64P Covert Timing Channel in Apache CXF

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks...

GE General Electric Renewable Energy MDS Radios 资源管理错误漏洞

GE General Electric Renewable Energy MDS Radios is a family of industrial wireless solutions from General Electric GE. A resource management error vulnerability exists in GE General Electric Renewable Energy MDS iNET/iNET II/SD/TD220/TD220MAX Radios. An attacker using authentication code could...

CVE-2022-25825

Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in...

Samsung Account 授权问题漏洞

Samsung Account is a mobile account from Samsung, a South Korean company. Samsung Account versions prior to 13.1.0.1 contain an access control error vulnerability that stems from a network system or product that does not properly restrict access to resources from unauthorized roles. An attacker...

What you need to know about how cryptography impacts your security strategy

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series post, Microsoft Security Product Marketing Manager Natalia Godyla talks with Taurus SA Co-founder...

Halibut input validation error vulnerability

Halibut, a secure, RPC-based open source communication framework from Octopus Deploy individual developers, is vulnerable to an input validation error that stems from a deserialization vulnerability in versions of Halibut prior to version 4.4.7 that could allow remote execution on systems that ar...