11 matches found
EUVD-2021-9359
Malicious code in bioql PyPI...
CVE-2021-22213
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari...
GitLab 7.10 < 13.10.5 / 13.11 < 13.11.5 / 13.12 < 13.12.2 (CVE-2021-22213)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safa...
New Cache Side Channel Attack Can De-Anonymize Targeted Online Users
A group of academics from the New Jersey Institute of Technology NJIT has warned of a novel technique that could be used to defeat anonymity protections and identify a unique website visitor. "An attacker who has complete or partial control over a website can learn whether a specific target i.e.,...
CVE-2021-22213
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari...
CVE-2021-22213
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari...
CVE-2021-22213
CVE-2021-22213 is a cross-site leak in the OAuth flow of all GitLab CE/EE versions since 7.10, enabling an attacker to leak an OAuth access token when a victim visits a malicious page in Safari. The issue is documented across multiple sources, noting the vulnerability affects GitLab CE/EE and tha...
PT-2021-4082 · Gitlab +1 · Gitlab Ce/Ee +2
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 7.10 and later Description: The issue is related to a cross-site leak vulnerability in the OAuth flow, allowing an attacker to leak an OAuth access token. This can be achieved by convincing a user to visit a malicious pa...
Slack: Cross-site leak allows attacker to de-anonymize members of his team from another origin
This issue was reported by researcher @jub0bs via HackerOne on December 29, 2020. The Slack security team reviewed the issue, understanding the nature of information disclosure on Dec 30th. We closed the issue as informative, which we do to reflect that the report, while accurate, has not taken...
Keybase: SOP bypass using browser cache
Summary An attacker has the ability to extract sensitive information from user's accounts, due to a CORS issue. On a minor note, this also is a cross-site leak as we can fingerprint what exact keybase user has accessed the attacker's website. Information disclosed:...
Internet Bug Bounty: Cross-site information assertion leak via Content Security Policy
It is possible to test for the satisfaction of certain assertions across origins by abuse of Content Security Policy. These could be assertions such as 'is the client logged into this website', or 'is the client logged in as this user', or 'does the client have access to these panels'. This gener...