67 matches found
Mozilla Firefox Security Advisory (MFSA2016-13) - Linux
This host is missing a security update for Mozilla Firefox. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...
Access Restrictions Bypass
java is vulnerable to access restrictions bypass. crossdomain.xml files are not properly parsed, allowing remote attackers to bypass access restructions and connect to arbitrary sites...
CVE-2017-8406
An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In thi...
CVE-2017-8406
CVE-2017-8406 affects D-Link DCS-1130 devices. The issue is that crossdomain.xml is accessible without restrictions, allowing a hosted flash file on any domain to call the device’s webserver and retrieve stored information, including credentials in clear text. The description also notes lack of c...
CVE-2017-8406
An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In thi...
gitaar.net Improper Access Control vulnerability
Open Bug Bounty ID: OBB-657967 Description| Value ---|--- Affected Website:| gitaar.net Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| IAC Improper Access Control / CWE-284 CVSSv3 Score:| 6.5...
How in the JSON endpoint on the use of CSRF vulnerabilities-vulnerability warning-the black bar safety net
! (CSRF + Flash + HTTP 307)=don't say you have“dead”! If you want to go through a third-party attacker control of the server in the JSON endpoint using a CSRF vulnerability, I give you recommend one called json-flash-csrf-poc GitHub project【download】 it. Background story In a recent penetration...
Kindred Group: Full Account Takeover on *.unibet.com due to crossdomain.xml and AkamaiPlayer loaderContext
==Below is the original, partially-redacted report== --------- Hi, The core issue here are two things: 1. The too wide crossdomain.xml located at: https://payment.unibet.com/crossdomain.xml https://se.unibet.com/crossdomain.xml https://www.unibet.com/crossdomain.xml 2. Issues with not-in-scope...
CVE-2017-7680
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains...
CVE-2017-7680
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains...
Design/Logic Flaw
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains...
CVE-2017-7680
CVE-2017-7680 affects Apache OpenMeetings 1.0.0. The issue is an overly permissive crossdomain.xml file, allowing flash content to be loaded from untrusted domains. Root cause: crossdomain policy grants loading from external domains, enabling potential cross-domain interactions. Impact is the abi...
CVE-2017-7680
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains...
Starbucks: Possible SOP bypass in www.starbucks.com due to insecure crossdomain.xml
Hello. I was penetration testing your website, and noticed that your crossdomain.xml file allowed many sites access. I went through and, for all the sites that had .website.com with them, I scanned them for subdomains. I found that a subdomain for ███████.com a site in your crossdomain.xml as...
D-Link DCS Series Cameras Insecure Crossdomain.xml
Exploit Title: Insecure CrossDomain.XML in D-Link DCS Series Cameras Date: 22/02/2017 Exploit Author: SlidingWindow , Twitter: @KapilKhot Vendor Homepage: http://us.dlink.com/product-category/home-solutions/view/network-cameras/ Version: Tested on DCS-933L with firmware version 1.03. Other...
Cross site request forgery (csrf)
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to , thus accepting requests from any domain. If a...
CVE-2017-7852
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to , thus accepting requests from any domain. If a...
CVE-2017-7852
CVE-2017-7852 affects D-Link DCS series cameras (notably DCS-933L, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, DCS-932LB1). Root cause: weak CrossDomain.XML with allow-access-from set to * enables Cross-Site Request Forgery (CSRF) via malicious Flash hosted on attacker sites. ...
Insecure Cross-Domain Policy (allow-http-request-headers-from)
The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL...
Insecure Cross-Domain Policy (allow-access-from)
The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy". URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL...