EUVD-2024-38290

Malicious code in bioql PyPI...

EUVD-2024-0648

Malicious code in bioql PyPI...

CVE-2024-39888

CVE-2024-39888 affects Mendix Encryption versions 10.0.0 to 10.0.1, where a hard-coded default EncryptionKey enables decryption of encrypted project data if no per-project key is specified. Root cause: a security-relevant constant defined by default in the module. Consequences stated across sourc...

PT-2024-8753 · Mendix · Mendix Encryption

Name of the Vulnerable Software and Affected Versions: Mendix Encryption versions 10.0.0 through 10.0.1 Description: A vulnerability has been identified in the Mendix Encryption module, where affected versions define a specific hard-coded default value for the EncryptionKey constant. This default...

Insecure Deserialization

typo3/cms is vulnerable to Insecure Deserialization. The vulnerability is due to improper handling of user-submitted payloads that are signed with an HMAC-SHA1 using the sensitive TYPO3 encryptionKey as the secret. If the encryptionKey is known to attackers, they can craft a malicious payload tha...

GHSA-HH95-5XM5-V8V7 TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensiti...

TYPO3 Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensiti...

GHSA-5H5V-M596-R6RF TYPO3 Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensiti...

Information Disclosure

TYPO3 is vulnerable to Information Disclosure. The vulnerability is due to the plaintext value of the $GLOBALS'SYS''encryptionKey' displayed in the TYPO3 Install Tool user interface. This allows an attacker to utilize the value to generate cryptographic hashes to verify the authenticity of HTTP...

CVE-2024-25119

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of $GLOBALS'SYS''encryptionKey' was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes...

Design/Logic Flaw

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of $GLOBALS'SYS''encryptionKey' was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes...

FreeBSD : typo3 -- multiple vulnerabilities (eab964f8-d632-11ea-9172-4c72b94353b5)

Typo3 Team reports : In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. Thi...

CVE-2020-15099

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case t...

Remote code execution

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case t...

typo3 -- multiple vulnerabilities

Typo3 Team reports: In case an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This...

Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized...

Debian DLA-639-1 : mactelnet security update

CVE-2016-7115 Buffer overflow in the handlepacket function in mactelnet.c in the client in MAC-Telnet 0.4.3 and earlier allows remote TELNET servers to execute arbitrary code via a long string in an MTCPTYPEENCRYPTIONKEY control packet. For Debian 7 'Wheezy', these problems have been fixed in...

TYPO3 Security Bulletin

For convenience, the TYPO3 Install Tool provides a button sets the "encryptionKey" to a random value. It has been observed that only parts of the generated value are actually random. The overall key is therefore unique and -as of today- considered sufficiently secure. However, the effective key...