Design/Logic Flaw

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

Exploit for CVE-2022-30190

CVE-2022-30190 This Repository Talks about the Follina MSDT fr...

Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks

As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. Called Ransomware for IoT or R4IoT by Forescout, it's a "novel, proof-of-concept ransomware that exploits an IoT...

PowerGram - Multiplatform Telegram Bot In Pure PowerShell

PowerGram is a pure PowerShell Telegram Bot that can be run on Windows, Linux or Mac OS. To make use of it, you only need PowerShell 4 or higher and an internet connection. All communication between the Bot and Telegram servers is encrypted with HTTPS, but all requests will be sent in GET method,...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

CVE-2022-30115

CVE-2022-30115 describes an HSTS bypass in curl where the client could be forced to use HTTPS despite an HTTP URL, via mismatches between URL hostname trailing dots and HSTS cache entries. Connected advisories confirm the issue affects curl and was fixed in later releases; for example, Alpine/CUR...

CVE-2022-27774

CVE-2022-27774 affects curl. The vulnerability is described as an insufficiently protected credentials issue where credentials could be leaked during HTTP(S) redirects when authentication is involved, potentially leaking to other hosts across different protocols or ports. Connected advisories sho...

Exploit for CVE-2022-30190

MSDTCVE-2022-30190 This Repository Talks about the Follina MS...

Security Bulletin: Vulnerability in Apache HTTP (CVE-2022-22720) affects Power HMC

Summary Apache HTTP webserver is used by IBM Power Hardware Management Console HMC for accepting https request and transfer to and fro to internal applications. This bulletin provides a remediation for the impacted vulnerability, CVE-2022-22720 by upgrading IBM Power Hardware Management Console H...

Hakoriginfinder - Tool For Discovering The Origin Host Behind A Reverse Proxy. Useful For Bypassing Cloud WAFs!

Tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies. How does it work? This tool will first make a HTTP request to the hostname that you provide and store the response, then it will make a request to every IP address that you provide vi...

Node.js: Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

Summary: When using Undici with its ProxyAgent, it does not use CONNECT or correctly verify the upstream server's HTTPS certificate. Description: This affects both Undici itself and global fetch in Node 18 when used with Undici's ProxyAgent. I've submitted this here for Node as it affects global...

Cisco Firepower Threat Defense Software Web Services Interface DoS (cisco-sa-asafdt-webvpn-dos-tzPSYern)

A vulnerability in the web services interface for remote access VPN features of Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. This vulnerability is due to improper input validation when parsing HTTPS request...

Cisco Adaptive Security Appliance Software Web Services Interface DoS (cisco-sa-asafdt-webvpn-dos-tzPSYern)

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance ASA Software could allow an unauthenticated, remote attacker to cause a denial of service DoS condition. This vulnerability is due to improper input validation when parsing HTTPS...

GO-2022-0166 Denial of service due to unchecked parameters in crypto/dsa

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go...

Play Framework Inadequate Encryption Strength vulnerability

An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host...

kevinsawicki/http-request Missing certificate validation

OSS Http Request kevinsawicki/http-request is missing SSL/TLS certificate validation. The impact is: certificate spoofing. The component is: use this library when https communication. The attack vector is: certificate spoofing...

Obsidian does not require user confirmation for non-http/https URLs.

Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs...

GHSA-45MX-G85M-WWM3 Obsidian does not require user confirmation for non-http/https URLs.

Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs...