CVE-2014-5406 Hospira LifeCare PCA Infusion System

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a 1 drug library, 2 software update, or 3 configuration change, which allows remote attackers to modify settings or medication data via packets on the a TELNET, b HTTP, c HTTPS, or d UPNP...

barnesandnoble.com XSS vulnerability

Vulnerable URL: http://www.barnesandnoble.com/mobile/noresults/%27%22%3Ev0raz%3Cbody/onpageshow=%22%26%2397lert%28'XSSPOSED'%29%22%3E Details: Description| Value ---|--- Patched:| Yes, at 24.01.2016 Latest check for patch:| 24.01.2016 12:27 GMT Vulnerability type:| XSS Vulnerability status:|...

trial-sport.ru XSS vulnerability

Vulnerable URL: http://trial-sport.ru/gds.php?q=xss=1=0=0=0';alert/XSSposed///=0from=0to= Details: Description| Value ---|--- Patched:| Yes, at 30.01.2016 Latest check for patch:| 30.01.2016 20:57 GMT Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 16001 Google...

FreeBSD : ansible -- multiple vulnerabilities (72fccfdf-2061-11e5-a4a5-002590263bf5)

Ansible, Inc. reports : Ensure that hostnames match certificate names when using HTTPS - resolved in Ansible 1.9.2 Improper symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment - resolved in Ansible 1.9.2 %NASLMINLEVEL 70300 C Tenable Networ...

HSTS Missing From HTTPS Server

The remote HTTPS server is not enforcing HTTP Strict Transport Security HSTS. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and...

Pinterest Fixes Validation Vulnerability in API

Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks. Vulnerability Lab researcher Benjamin Kunz Mejri discovered the issue, which is a persistent mail encoding and validation...

CVE-2015-1951

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation...

Design/Logic Flaw

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation...

CVE-2015-1951

CVE-2015-1951 affects IBM Maximo Asset Management and related products (e.g., Maximo Asset Management Essentials, several Industry Solutions, SmartCloud Control Desk, Tivoli/TAM IT products) as listed in IBM Security Bulletin. The vulnerability arises because HTTPS responses can be cached locally...

CVE-2015-1951

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation...

Debian Security Advisory DSA 3298-1 (jackrabbit - security update)

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a XXE/XEE attack. When processing a WebDAV request body containing XML, the XML parser could be instructed to read content from network resources accessible to the host, identified by URI schemes such as https or file. Dependi...

Debian DSA-3298-1 : jackrabbit - security update

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a XXE/XEE attack. When processing a WebDAV request body containing XML, the XML parser could be instructed to read content from network resources accessible to the host, identified by URI schemes such as'https' or 'file'...

SUSE-SU-2015:1344-1 Security update for python

This update to python 2.7.9 fixes the following issues: python-2.7-libffi-aarch64.patch: Fix argument passing in libffi for aarch64 From the version update to 2.7.9: contains full backport of ssl module from Python 3.4 PEP466 HTTPS certificate validation enabled by default PEP476 SSLv3 disabled b...

Design/Logic Flaw

The HTTP connection-management functionality in Internet Pass-Thru IPT before 2.1.0.2 in IBM WebSphere MQ, when HTTPS is disabled, does not properly generate MQIPT Session IDs, which makes it easier for remote attackers to bypass intended restrictions on MQ message data by predicting an ID value...

CVE-2015-0173

The HTTP connection-management functionality in Internet Pass-Thru IPT before 2.1.0.2 in IBM WebSphere MQ, when HTTPS is disabled, does not properly generate MQIPT Session IDs, which makes it easier for remote attackers to bypass intended restrictions on MQ message data by predicting an ID value...

CVE-2015-0173

The HTTP connection-management functionality in Internet Pass-Thru IPT before 2.1.0.2 in IBM WebSphere MQ, when HTTPS is disabled, does not properly generate MQIPT Session IDs, which makes it easier for remote attackers to bypass intended restrictions on MQ message data by predicting an ID value...

ansible -- multiple vulnerabilities

Ansible, Inc. reports: Ensure that hostnames match certificate names when using HTTPS - resolved in Ansible 1.9.2 Improper symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment - resolved in Ansible 1.9.2...

McAfee ePolicy Orchestrator Man-in-the-Middle Attack Vulnerability (Jun 2015)

McAfee ePolicy Orchestrator is prone to a man-in-the-middle MITM vulnerability. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Amazon Linux AMI : python27 (ALAS-2015-552)

It was discovered that multiple Python standard library modules implementing network protocols such as httplib or smtplib failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.CVE-2013-1752 ...

CVE-2013-7398

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...