33 matches found
CVE-2022-39258 mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to stea...
GHSA-7QCX-4P32-QCMX Missing Cryptographic Step in cassproject
Impact CaSS Library, npm:cassproject has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an account’s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e...
Schneider Electric Easergy Builder Cryptographic Algorithm Vulnerability
The Schneider Electric Easergy Builder is used by expert engineering teams to configure the T300 grid automation platform. A cryptographic algorithm vulnerability exists in Schneider Electric Easergy Builder version 1.4.7.2 and earlier, which stems from a broken cryptographic algorithm used, and...
CVE-2020-7514
A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in Easergy Builder Version 1.4.7.2 and older which could allow an attacker access to the authorization credentials for a device and gain full access...
CVE-2020-7514
Schneider Electric Easergy Builder (versions ≤ 1.4.7.2) contains a CWE-327 vulnerability due to use of a broken or risky cryptographic algorithm. This could allow an attacker to access the device’s authorization credentials and gain full access. The affected component is Easergy Builder; root cau...
CVE-2019-3793
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials...
Authorization
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials...
CVE-2019-3793 Invitations Service supports HTTP connections
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials...
CVE-2019-3793
CVE-2019-3793 affects Pivotal Apps Manager Release lines 665.0.x <665.0.28, 666.0.x <666.0.21, 667.0.x
Microsoft Azure DevOps Server CVE-2019-0874 Cross Site Scripting Vulnerability
Description Microsoft Azure DevOps Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Th...
CVE-2011-2990
The CVE-2011-2990 vulnerability affects Mozilla Firefox 4.x–5 and SeaMonkey 2.x (before 2.3) where Content Security Policy (CSP) violation reports do not strip proxy-authorization credentials from the request headers, enabling potential leakage of credentials when a CSP report is read. The issue ...
CVE-2011-2990
The implementation of Content Security Policy CSP violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by...
CVE-2011-2990
The implementation of Content Security Policy CSP violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by...