Admidio Missing Minimum Administrator Check in Role Membership Removal

Summary Role::stopMembership does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other...

EUVD-2017-16577

Malware in sbrugna...

Symfony2 security issue when the trust proxy mode is enabled

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies method...

Validator.isValidSafeHTML is being deprecated and will be deleted from org.owasp.esapi:esapi in 1 year

Impact The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe i.e., returns true, but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecat...

Oracle.sol uses deprecated Chainlink method latestAnswer()

Lines of code Vulnerability details Proof of Concept Chainlink has market the latestAnswer method as deprecated for his price feeds, but the code is using it. Impact The latestAnswer method just returns the price and has no way to check if it is stale. If the project is using a stale price it can...

Usage of deprecated transfer to send ETH

Lines of code Vulnerability details Impact Usage of deprecated transfer Swap can revert. Proof of Concept The original transfer used to send eth uses a fixed stipend 2300 gas. This was used to prevent reentrancy. However this limit your protocol to interact with others contracts that need more th...

WordPress: Arbitrary change of blog's background image via CSRF

Description: Despite being deprecated since v3.5.0, the wpsetbackgroundimage method defined in wp-admin/includes/class-custom-background.php, registered as an authenticated AJAX call wpajaxset-background-image, is still active. Given that the method is lacking CSRF checks, an attacker could chang...

DEBIAN-CVE-2017-7572

The checkPolkitPrivilege function in serviceHelper.py in Back In Time aka backintime 1.1.18 and earlier uses a deprecated polkit authorization method unix-process that is subject to a race condition time of check, time of use. With this authorization method, the owner of a process requesting a...

openSUSE Security Update : python-django (openSUSE-2015-598)

python Django was updated to fix a remote denial of service resource exhaustion possibility in the auth views module. bsc941587, CVE-2015-5963 Also issafeurl was made to reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs bnc923176,...

MSN Messenger UserID Detection (deprecated)

Binary data 2600.prm...

SQL Server Cleartext 'admin' Account 'admin' Password Attempted Login (deprecated)

Binary data 1115.prm...

Wireless Access Point (WAP) Detection (HTTP) (deprecated)

Binary data 1621.prm...

SQL Server Cleartext 'sa' Account 'password' Password Attempted Login (deprecated)

Binary data 1110.prm...