7690 matches found
CVE-2020-16156
CPAN 2.28 allows Signature Verification Bypass...
Log4Shell Is Spawning Even Nastier Mutations
The internet has a fast-spreading, malignant cancer – otherwise known as the Apache Log4j logging library exploit – that’s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week. Most of the attacks focus on cryptocurrency mining done on victims’ dimes,...
CVE-2021-37189
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session...
CVE-2021-37189
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session...
Session fixation
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session...
CVE-2021-37189
CVE-2021-37189 affects Digi TransPort Gateway devices up to version 5.2.13.4. The issue is that these devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause cookies to be sent in cleartext over an HTTP session. This behavior is described in the NVD entr...
CVE-2021-37189
An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session...
Check Point Response to Apache Log4j Remote Code Execution
Solution On December 10, 2021, a proof of concept of a vulnerability in the Apache Log4j Java library CVE-2021-44228 was published. The vulnerability may allow unauthenticated threat actors to obtain remote code execution. The severity of the vulnerability was deemed critical. The Check Point...
CVE-2021-38507
The Opportunistic Encryption feature of HTTP2 RFC 8164 allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP addre...
Updated java openjdk packages fix security vulnerability
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fixes: OpenJDK: Loop in HttpsServer triggered during TLS session close JSSE, 8254967 CVE-2021-35565 OpenJDK: Incorrect principal selection when using Kerberos...
Instance config inline secret exposure in Grafana
Impact Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server: Inline secrets for metrics instance configs in the base YAML file are exposed at /-/config Inline secrets for integrations are exposed at /-/config Inline secrets for Consul ACL tokens and ETCD basic auth when...
GHSA-9C4X-5HGQ-Q3WH Instance config inline secret exposure in Grafana
Impact Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server: Inline secrets for metrics instance configs in the base YAML file are exposed at /-/config Inline secrets for integrations are exposed at /-/config Inline secrets for Consul ACL tokens and ETCD basic auth when...
Not with a Bang but a Whisper: The Shift to Stealthy C2
As defensive tools have evolved to detect more and more traditional attack techniques, it should come as no surprise that attackers have shifted tactics. This ever-evolving arms race between offensive security toolsets, bespoke advanced persistent threat APT malware and the billion-dollar infosec...
CVE-2021-41090
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defin...
Authentication flaw
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defin...
CVE-2021-41090 Instance config inline secret exposure
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defin...
CVE-2021-41014
A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to make the httpsd daemon unresponsive via huge HTTP packets...
CVE-2021-41014
Fortinet FortiWeb is affected by CVE-2021-41014. FortiWeb versions 6.4.1 and earlier and 6.3.15 and earlier allow an unauthenticated attacker to cause a Denial of Service by sending huge HTTP packets that make the httpsd daemon unresponsive. The vulnerability is documented in Fortinet’s FG-IR-21-...
Fortinet FortiWeb 资源管理错误漏洞
Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...
VMware vCenter Server 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2021-0027)
The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3r or 6.7 prior to 6.7 U3p. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in the vSphere web client. An unauthenticated, remote attacker can exploit this,...