GHSA-33C7-2MPW-HG34 Log injection in uvicorn

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request craft...

Nanjing Ironbound Network Technology Co., Ltd. 114 Ticketing APP has logic flaws and vulnerabilities

Nanjing Tiehang Network Technology Co., Ltd, referred to as Tiehang.com, was founded in 2011, the use of IT technology and Internet thinking, the national train tickets online shopping one-stop service, is the domestic train tickets online shopping platform. Nanjing Ironbound Network Technology...

Cross site scripting

The server management software module of ZTE has a storage XSS vulnerability. The attacker inserts some attack codes through the foreground login page, which will cause the user to execute the predefined malicious script in the browser. This affects...

VulnCheck KEV: CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server or Man-in-The-Middle attacker can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred...

VulnCheck KEV: CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server or Man-in-The-Middle attacker can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This...

About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra

About the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra This document describes the security content of macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. About Apple security updates F...

CVE-2020-15001

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

Design/Logic Flaw

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

Citrix Client SSL Error Codes

This article provides information on Citrix Client SSL Error Codes. To assist with troubleshooting, Citrix Technical Support has compiled a list of generic SSL error codes that the Citrix client might present the user or write in the Event log when an error occurs. Important! This article is...

CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

phpcodes.nl Cross Site Scripting vulnerability OBB-1203004

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

Design/Logic Flaw

The wireless-communication feature of the ABUS Secvest FUBE50001 device does not encrypt sensitive data such as PIN codes or IDs of used proximity chip keys RFID tokens. This makes it easier for an attacker to disarm the wireless alarm system...

CVE-2020-14157

CVE-2020-14157 affects ABUS Secvest FUBE50001: the wireless-communication feature transmits PIN codes and RFID token IDs without encryption. Root cause is missing encryption for sensitive data in the wireless channel, enabling an attacker to disarm the wireless alarm system. Documents explicitly ...

ASUS Aura Sync Buffer Overflow Vulnerability

ASUS Aura Sync is a hardware light synchronization plug-in from Asus Taiwan, China. A security vulnerability exists in the Ene.sys file in ASUS Aura Sync 1.07.71 and earlier versions, which originates from the program failing to properly validate input sent to IOCTL 0x80102044, 0x80102050, and...

Security Information Regarding "Profile Programming"

The customer IOActive provided a Security Advisory report to SICK AG referring to the feature profile programming with regards to the listed affected products. Certain SICK products support profile programming with bar codes, generated and printed via SOPAS ET...

HTTP Status Codes Command This Malware How to Control Hacked Systems

A new version of COMpfun remote access trojan RAT has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence"...

HTTP Status Codes Command This Malware How to Control Hacked Systems

A new version of COMpfun remote access trojan RAT has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence"...

COMpfun authors spoof visa application with HTTP status-based Trojan

You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If you're wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our...

CVE-2020-6865

ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view the internal error code location of the component. Attackers could exploit this vulnerability to obtain...

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

A new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Called "EventBot" by Cybereason researchers, the malware is...