CVE-2009-2064

Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe...

CVE-2009-2061

Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site...

CVE-2009-2066

Apple Safari detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site,...

CVE-2009-2066

CVE-2009-2066 affects Apple Safari. The issue arises when https pages load http content that is referenced from an https site, allowing MITM attackers to modify an http page to include an https iframe that loads http scripts, enabling arbitrary web script execution in an https context. Root cause...

CVE-2009-2068

Removed by vendor...

CVE-2009-1898

The secure login page in the Administrative Console component in IBM WebSphere Application Server WAS 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network...

Design/Logic Flaw

The secure login page in the Administrative Console component in IBM WebSphere Application Server WAS 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network...

CVE-2009-1898

The secure login page in the Administrative Console component in IBM WebSphere Application Server WAS 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network...

CVE-2009-1477

The https web interfaces on the ATEN KH1516i IP KVM switch with firmware 1.0.063, the KN9116 IP KVM switch with firmware 1.1.104, and the PN9108 power-control unit have a hardcoded SSL private key, which makes it easier for remote attackers to decrypt https sessions by extracting this key from...

CVE-2009-1474

The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not 1 encrypt mouse events, which makes it easier for man-in-the-middle attackers to perform mouse operations on machines connected to the switch by injecting network traffic; and do not 2 s...

Session fixation

The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not 1 encrypt mouse events, which makes it easier for man-in-the-middle attackers to perform mouse operations on machines connected to the switch by injecting network traffic; and do not 2 s...

CVE-2009-1474

The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 do not 1 encrypt mouse events, which makes it easier for man-in-the-middle attackers to perform mouse operations on machines connected to the switch by injecting network traffic; and do not 2 s...

CVE-2009-1474

The CVE-2009-1474 issue affects ATEN KH1516i (firmware 1.0.063) and KN9116 (firmware 1.1.104). It states that mouse events are not encrypted and the session cookie is not marked Secure in HTTPS, enabling potential man-in-the-middle abuse and cookie interception over HTTP. Connected sources confir...

CVE-2009-0089

Windows HTTP Services aka WinHTTP in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate...

CVE-2009-0089

Windows HTTP Services aka WinHTTP in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate...

CVE-2009-0089

CVE-2009-0089 describes a vulnerability in Windows HTTP Services (WinHTTP) where remote servers could impersonate HTTPS sites via DNS spoofing and forward a connection to a host with a valid certificate for a different domain. Affected: Windows 2000 SP4, XP SP2/SP3, Server 2003 SP1/SP2, and Vista...

Protection against Microsoft Windows HTTP Services Certificate Name Mismatch Remote Code Execution Vulnerability (MS09-013)

A spoofing vulnerability has been reported in Microsoft Windows HTTP Services. Windows HTTP Services WinHTTP provides developers with an HTTP client application programming interface API to send requests through the HTTP protocol to other HTTP servers. A remote attacker may exploit this issue to...

SQL injection

Added: 04/10/2009 Background Structured Query Language SQL is the most common language understood by modern relational databases. Problem A web program uses input parameters within an SQL query in an unsafe manner. This could allow a remote attacker to inject arbitrary SQL commands via a speciall...

CVE-2009-0626

The SSLVPN feature in Cisco IOS 12.3 through 12.4 allows remote attackers to cause a denial of service device reload or hang via a crafted HTTPS packet...

CVE-2009-0626

The CVE-2009-0626 entry covers Cisco IOS WebVPN/SSLVPN vulnerabilities in 12.3–12.4. A crafted HTTPS packet can cause a device reload/hang (Crash). The adjacent CVE-2009-0628 describes a memory‑leak condition in SSLVPN sessions that can exhaust memory and crash the device. Affected releases inclu...