EUVD-2016-6088

Malware in sbrugna...

@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context Content Security Policies CSP are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. Impact There aren't any XSS attack vectors via...

HackerOne: Content Security Policy not applied to error pages at multiple HackerOne endpoints

HackerOne CSP "script-src" includes "unsafe-inline" bypass via % and %" ----- Summary & Description We utilize a strict Content Security Policy and a safe-by-default templating language to effectively neutralize Cross-Site Scripting XSS. We encrypt all network communications with SSL/TLS...

Google Chrome CSPSource::schemeMatches Information Disclosure Vulnerability

Google Chrome is a web browsing tool developed by Google. In the CSP implementation of Blink in versions of Google Chrome prior to 52.0.2743.82, the WebKit/Source/core/frame/csp/CSPSource.cpp/CSPSource::schemeMatches function does not apply the http :80 policy to the https : 443 URL, nor does it...

CVE-2016-5137

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy CSP implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs,...

Google Chrome Multiple Vulnerabilities (Mar 2016) - Windows

Google Chrome is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:google:chrome"; ifdescription...

Design/Logic Flaw

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy CSP implementation in Blink, as used in Google Chrome before 48.0.2564.82, does not apply http policies to https URLs and does not apply ws policies to wss URLs, which makes it easie...

Design/Logic Flaw

The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CSPSourceList.cpp in the Content Security Policy CSP implementation in Google Chrome before 47.0.2526.73 accepts a blob:, data:, or filesystem: URL as a match for a pattern, which allows remote attackers to bypass intended scheme...

Design/Logic Flaw

The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy CSP implementation in Google Chrome before 47.0.2526.73 accepts an x.y hostname as a match for a .x.y pattern, which might allow remote attackers to bypass intended access restrictions...

CVE-2015-6786

The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CSPSourceList.cpp in the Content Security Policy CSP implementation in Google Chrome before 47.0.2526.73 accepts a blob:, data:, or filesystem: URL as a match for a pattern, which allows remote attackers to bypass intended scheme...

CVE-2014-1485

The Content Security Policy CSP implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient...

CentOS Update for thunderbird CESA-2012:0715 centos5

Check for the Version of thunderbird OpenVAS Vulnerability Test CentOS Update for thunderbird CESA-2012:0715 centos5 Authors: System Generated Check Copyright: Copyright c 2012 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify i...

Cross site scripting

The Content Security Policy CSP implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to condu...