Geutebruck Remote Command Execution Exploit

This Metasploit module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and...

[ASA-202108-9] lynx: information disclosure

Arch Linux Security Advisory ASA-202108-9 ========================================= Severity: High Date : 2021-08-10 CVE-ID : CVE-2021-38165 Package : lynx Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2261 Summary ======= The package lynx before version...

Sensitive Data Exposure

Overview The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...

PT-2021-19918 · WordPress · Gatsby-Source-Wordpress

Name of the Vulnerable Software and Affected Versions: gatsby-source-wordpress versions prior to 4.0.8 and 5.9.2 Description: The gatsby-source-wordpress plugin leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. This issue affects users who initialize...

Improper input validation in CNCF Cortex

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack...

GHSA-8CH4-58QP-G3MP Observable Timing Discrepancy in aaugustin websockets library

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...

[ASA-202106-26] python-websockets: private key recovery

Arch Linux Security Advisory ASA-202106-26 ========================================== Severity: Medium Date : 2021-06-09 CVE-ID : CVE-2021-33880 Package : python-websockets Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-2040 Summary ======= The package...

Information Disclosure

websockets is vulnerable to information disclosure. The vulnerability exists due to an observable timing discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactory, allowing an attacker to guess a password via timing attack...

CVE-2021-33880

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...

Authentication flaw

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...

PYSEC-2021-95

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...

CVE-2021-33880

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basicauthprotocolfactorycredentials=.... An attacker may be able to guess a password via a timing attack...

CVE-2021-33880

The CVE-2021-33880 issue affects the aaugustin websockets library for Python, before version 9.1. It describes an Observable Timing Discrepancy when HTTP Basic Authentication is enabled (basic_auth_protocol_factory(credentials=...)), allowing an attacker to guess passwords via a timing attack. A ...

Arbitrary file deletion

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack...

CVE-2021-31231

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The...

Server secret was included in static assets and served to clients

Impact Server JWT signing secret was included in static assets and served to clients. This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface which is unprotected and ALLOWS arbitrary code execution and usually wide-ranging privileges ...

SUSE-SU-2020:14460-1 Security update for squid3

This update for squid3 fixes the following issues: - Fixed a Cache Poisoning and Request Smuggling attack CVE-2020-15049, bsc1173455 - Fixed incorrect buffer handling that can result in cache poisoning, remote execution, and denial of service attacks when processing ESI responses CVE-2019-12519,...

CVE-2020-14455

An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007...

Authentication flaw

An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007...

CVE-2020-14455

Technical details beyond the provided description are not publicly available in the supplied documents. Monitor for updates.