14 matches found
Rocket TRUfusion Enterprise 安全漏洞
Rocket TRUfusion Enterprise is a product lifecycle management platform from Rocket USA. A security vulnerability exists in Rocket TRUfusion Enterprise version 7.10.4.0 and earlier, which stems from the use of a static key to create an encrypted cookie, which could lead to a forged cookie and acce...
EUVD-2024-1178
Malicious code in bioql PyPI...
Fedora: Security Advisory (FEDORA-2025-c38fd06bec)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Bit Flipping Attack
cookie-encrypter is vulnerable to Bit flipping Attack. The vulnerability is due to the lack of integrity verification, allowing attackers to modify encrypted cookies without detection...
Password Pusher Allows Session Token Interception Leading to Potential Hijacking
Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before...
Password Pusher Allows Session Token Interception Leading to Potential Hijacking
Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before...
Bit flip attack vulnerability in cookie-encrypter
due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decrypting the cookie itself. This is known as an AES CBC bit flipping attack...
PT-2024-37046 · Unknown · Password Pusher
Name of the Vulnerable Software and Affected Versions: Password Pusher versions 1.50.3 and prior Description: A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session tok...
CVE-2022-39287 Plaintext transmission of CSRF tokens in tiny-csrf
tiny-csrf is a Node.js cross site request forgery CSRF protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit 8eead6d and the patch with be included in version 1.1.0. Users are advise...
CVE-2021-41263
railsmultisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using railsmultisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker t...
CVE-2021-41263
railsmultisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using railsmultisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker t...
CVE-2021-41263
CVE-2021-41263 affects rails_multisite in Rails apps that rely on signed/encrypted cookies. The vulnerability allows cookie reuse across multiple sites within a multi-site Rails application due to how cookies are shared; it is mitigated by upgrading to rails_multisite v4, which invalidates all pr...
CVE-2020-15128
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code nothing exploitable in the core project itself had a...
New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies
Two researchers have developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce and payment sites. The attack breaks the confidentiality model of the protocol...