EUVD-2020-0392

Malware in sbrugna...

CVE-2020-11020

Faye NPM, RubyGem versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It...

Faye Trust Management Issue Vulnerability

Faye is a set of open source based on the Bayeux protocol publish-subscribe messaging system . The system is mainly used for publish-subscribe messaging between Web clients . A trust management issue vulnerability exists in versions of Faye prior to 1.4.0, which stems from the program failing to...

DEBIAN-CVE-2020-15134

Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL i...

Improper Access Control

Overview faye is a simple pub/sub messaging for the web. Affected versions of this package are vulnerable to Improper Access Control. The Server parses channels in a way that means any channel namespaced under /meta/subscribe will also work as a subscription request. For example if the client sen...

Cross-Site Request Forgery (CSRF)

Overview faye is a simple pub/sub messaging for the web. Affected versions of this package are vulnerable to Cross-Site Request Forgery CSRF. Rosetta Flash alphanum only swf converter can be used as a callback at a JSONP endpoint, and as a result, send data across domains. Remediation Upgrade fay...