67 matches found
D-Link DCS Series Cameras - Insecure Crossdomain
D-Link DCS Series Cameras - Insecure Crossdomain Exploit Title: Insecure CrossDomain.XML in D-Link DCS Series Cameras Date: 22/02/2017 Exploit Author: SlidingWindow , Twitter: @KapilKhot Vendor Homepage: http://us.dlink.com/product-category/home-solutions/view/network-cameras/ Version: Tested on...
D-Link DCS Series Cameras - Insecure Crossdomain
Exploit Title: Insecure CrossDomain.XML in D-Link DCS Series Cameras Date: 22/02/2017 Exploit Author: SlidingWindow , Twitter: @KapilKhot Vendor Homepage: http://us.dlink.com/product-category/home-solutions/view/network-cameras/ Version: Tested on DCS-933L with firmware version 1.03. Other...
Mail.ru: Same origin policy bypass on e.mail.ru via Cross-Site Flashing
Hello Mail.Ru Security Team, There is a Cross-Site Flashing vulnerability in e.mail.ru. this vulnerability is similar to XSS except it is Flash script execution. Ref : https://www.owasp.org/index.php/TestingforCrosssiteflashingOTG-CLIENT-008 This allow an attacker to execute requests to the...
CVE-2016-1949
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a...
DEBIAN-CVE-2016-1949
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a...
Design/Logic Flaw
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a...
CVE-2016-1949
CVE-2016-1949 affects Mozilla Firefox prior to 44.0.2 where Service Workers improperly interact with plugins, allowing remote attackers to bypass the Same-Origin Policy by a crafted site that triggers spoofed responses to NPAPI requests (e.g., crossdomain.xml). This is a network‑accessible vulner...
firefox: same-origin policy bypass
Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests...
CVE-2016-1949
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a...
Same-origin-policy violation using Service Workers with plugins — Mozilla
Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests...
firefox -- Same-origin-policy violation using Service Workers with plugins
The Mozilla Foundation reports: MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a servic...
Imgur: risk of having secure=false in a crossdomain.xml
api.imgur.com permits SWF files on a non-HTTPS server to load data from this HTTPS server. Setting the secure attribute to false could compromise the security offered by HTTPS. In particular, setting this attribute to false opens secure content to snooping and spoofing attacks. The...
ok.ru: Same-Origin Policy Bypass #2
Hi, This is really similar issue to my previous report 102234 - exploitation mechanism is really same but other swf file is vulnerable. All conditions are met: - st.mycdn.me domain which is in ok.ru crossdomain.xml - Security.allowDomain'' - possibility to execute own SWF code provided by URL...
Bumble: crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc.
Description The file crossdomain.xml that is hosted at https://eu1,us1,etc.badoo.com/crossdomain.xml is too permissive in the scope of allowed domains to access the content in the domain using Flash. When you contact Badoo via https://us1.badoo.com/feedback/, you can upload a file. This file can ...
Imgur: Crossdomain.xml settings on api.imgur.com too open
The crossdomain.xml file hosted at http://api.imgur.com/crossdomain.xml was too open. This allowed SWF files to make HTTP requests and see it's response. If this was not changed, then attacker.com can embed a SWF on attacker.com/example.html that makes an HTTP request to http://api.imgur.com/. Th...
Mail.ru: Same Origin Policy bypass
Hi, After small investigation I've probably found something that can be exploited to bypass Same Origin Policy on mail.ru services specially your main domain and e.mail.ru. First of all - let's take a look about your crossdomain.xml both for mail.ru and e.mail.ru: After time spent on searching...
Vimeo: Misconfigured crossdomain.xml - vimeo.com
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses...
CVE-2014-2227
The CVE-2014-2227 issue affects Ubiquiti Networks UniFi Video (AirVision Controller) before 3.0.1, where the default crossdomain.xml (Flash cross-domain policy) fails to restrict access, allowing remote attackers to bypass the Same Origin Policy via a crafted SWF file. This enables attacks such a...
Ubiquiti AirVision Controller 2.1.3 Weak Settings
----------- Vendor: ----------- Ubiquiti Networks http://www.ubnt.com/ ---------------------------------------------- Affected Products/Versions: ---------------------------------------------- AirVision Controller v2.1.3 Note: Previous versions may be affected ----------------- Description:...
Ubiquiti Networks UniFi Video Default - crossdomain.xml Security Bypass
Ubiquiti Networks UniFi Video Default - crossdomain.xml Security Bypass source: https://www.securityfocus.com/bid/68866/info UniFi Video is prone to a security-bypass vulnerability. An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized...