53 matches found
Mozilla Firefox and Firefox ESR Same Origin Policy Bypass Vulnerability
Mozilla Firefox is an open source web browser.Firefox ESR is an extended support version of Firefox. Mozilla Firefox incorrectly uses the CORS cross-origin request algorithm of the POST method to handle the server-side Content-Type header, and a remote attacker can exploit the vulnerability to...
CVE-2015-7193
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack...
CVE-2015-6762
CVE-2015-6762 affects Chromium/Google Chrome engines prior to 46.0.2490.71. The vulnerability lies in the CSSFontFaceSrcValue::fetch path in Blink’s CSS font loading, where the CORS cross-origin request algorithm is not used for fonts with seemingly same-origin URLs, allowing a remote server to b...
CVE-2015-6762
The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValue.cpp in the Cascading Style Sheets CSS implementation in Blink, as used in Google Chrome before 46.0.2490.71, does not use the CORS cross-origin request algorithm when a font's URL appears to be a same-origin URL, which allows...
UBUNTU-CVE-2015-6762
The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValue.cpp in the Cascading Style Sheets CSS implementation in Blink, as used in Google Chrome before 46.0.2490.71, does not use the CORS cross-origin request algorithm when a font's URL appears to be a same-origin URL, which allows...
CVE-2015-3752
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive...
Cross site request forgery (csrf)
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive...
CVE-2015-3752
The CVE-2015-3752 issue affects WebKit’s Content Security Policy handling in Safari (and underlying WebKit in iOS) prior to specific updates. The root cause is improper restriction of cookie transmission for CSP report requests, enabling potential leakage of cookies via cross-origin requests or p...
CVE-2015-3752
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive...
CVE-2015-3752
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive...
cmseasy csrf通过一个xss最后getshell
简要描述: 为什么我们要选择get类型的呢,因为get类型存储到数据库的时候触发时候管理员是察觉不到的,可以通过图片等进行操作,然后我们存储一个xss后门,这样一来,我们就可以加载一个远端的js,那么就各种无视token和referer了 详细说明: 开始我们先分析一段源代码: celive/admin/system.php:line:128-142: if$do == 'add' and $username != '' $password = addslashes$REQUEST'password'; $password = md5$password; $realname =...
SeaMonkey < 2.0.7 Multiple Vulnerabilities
Binary data 5660.prm...
CVE-2010-1760
Removed by vendor...