CVE-2023-47124

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge 50 seconds can be exploited by attackers to achieve a slowloris attack. This...

CVE-2023-47124

CVE-2023-47124 describes a DoS vector in Traefik when using HTTPChallenge to obtain/renew Let’s Encrypt TLS certificates: the 50-second delay allowed solving the challenge can be abused for a slowloris-style attack. Public details in the initial document specify impacts as a server availability r...

CVE-2023-47124 Denial of service whith ACME HTTPChallenge in Traefik

Traefik is an open source HTTP reverse proxy and load balancer. When Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge 50 seconds can be exploited by attackers to achieve a slowloris attack. This...

Vulnerability of the functions EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), and EVP_CipherInit_ex2() of the OpenSSL cryptographic library, which allows a perpetrator to gain unauthorized access to protected information

The vulnerabilities of the functions EVPEncryptInitex2, EVPDecryptInitex2, and EVPCipherInitex2 in the OpenSSL cryptographic library are related to the absence of necessary encryption steps. Exploiting these vulnerabilities can allow a remote attacker to gain unauthorized access to protected...

GHSA-FPR8-4WVX-J9Q3 node-qpdf vulnerable to command injection

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the...

QPDF Command Injection Vulnerability

QPDF is a software application. A C++ library and a set of programs to inspect and manipulate the structure of PDF files. A security vulnerability exists in all versions of QPDF, which stems from the inability of the encrypt method to filter parameters, resulting in a command injection...

PT-2023-20534 · Node-Qpdf · Node-Qpdf

Name of the Vulnerable Software and Affected Versions: node-qpdf versions all Description: The issue arises from the encrypt method failing to sanitize its parameter input, which later flows into a sensitive command execution API. This allows attackers to inject malicious commands once they can...

CVE-2023-43657

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting XSS issue when a site has content security policy CSP headers disabled. Having CSP disabled is a non-default configuration...

CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting XSS issue when a site has content security policy CSP headers disabled. Having CSP disabled is a non-default configuration...

CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting XSS issue when a site has content security policy CSP headers disabled. Having CSP disabled is a non-default configuration...

CVE-2023-43657

Summary: CVE-2023-43657 affects the discourse-encrypt plugin for Discourse. The issue is an improper escaping of encrypted topic titles that can lead to cross-site scripting (XSS) when CSP headers are disabled (a non-default configuration). The problem is addressed by commit 9c75810af9, included ...

CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting XSS issue when a site has content security policy CSP headers disabled. Having CSP disabled is a non-default configuration...

PT-2023-28903 · Discourse · Discourse-Encrypt

Name of the Vulnerable Software and Affected Versions: discourse-encrypt plugin affected versions not specified Description: The discourse-encrypt plugin provides a secure communication channel through Discourse. However, improper escaping of encrypted topic titles could lead to a cross-site...

PT-2023-9602 · Hashicorp +2 · Hashicorp Vault +3

Name of the Vulnerable Software and Affected Versions: HashiCorp Vault and Vault Enterprise versions 1.6.0 through 1.12.10 HashiCorp Vault and Vault Enterprise versions 1.13.0 through 1.13.6 HashiCorp Vault and Vault Enterprise versions 1.14.0 through 1.14.2 Description: The issue is related to...

CVE-2023-21652

Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use...

PT-2023-26960 · WordPress · Video Conferencing With Zoom

Name of the Vulnerable Software and Affected Versions: Video Conferencing with Zoom plugin for WordPress versions up to, and including, 4.2.1 Description: The issue is related to Sensitive Information Exposure due to a hardcoded encryption key in the vczapi encrypt decrypt function. This allows...

CLSA-2023-1689010064 Fix CVE(s): CVE-2022-29885

SECURITY UPDATE: EncryptInterceptor only provides partial protection on untrusted network - debian/patches/CVE-2022-29885.patch: Update the documentation to state that the EncryptInterceptor does not provide sufficient protection to run Tomcat clustering over an untrusted network. - CVE-2022-2988...

Improper Neutralization of Special Elements used in a Command

Overview node-qpdf is an A Content Preserving transformations on PDFs wrapped around QPDF Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in a Command such that the package-exported method encrypt fails to sanitize its parameter input, which...

Google Pixel 安全漏洞

Google Pixel is a smartphone from the American company Google Google. Google Pixel suffers from a security vulnerability that originates in btmaclencryptchange in btmacl.cc, which could lead to the disclosure of local information as the remote device can be encrypted with encryption turned off an...

PT-2023-17907 · Google · Android

Name of the Vulnerable Software and Affected Versions: Android versions Android-11 through Android-12L Description: The issue is related to improperly used crypto in the btm sec encrypt change function of btm sec.cc. This could lead to a paired device escalation of privilege with no additional...