Disable SSLv3 in outgoing HTTPS connections from Confluence

SSLv3 is an old protocol and has been superseded by TLSv1.0, TLSv1.1 and TLSv1.2. TLSv1.0 was first defined in January 1999 and java 6 supports and uses it as the default client version in TLS handshake. SSLv3 is old and limits the ciphers that can be used. SSLv3 is also vulnerable to POODLE. We...

Snom SIP Phone Denial Of Service

Snom SIP phones www.snom.com have a builtin HTTP/HTTPS configuration interface, which is enabled by default. By making a single HTTP POST request all available memory and CPU can be exhausted, resulting in a reboot of the phone. This even works if the HTTP/HTTPS interface is protected by username...

F5 Networks BIG-IP : Libtiff vulnerabilities (SOL15863)

CVE-2012-1173 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from F5 Networks BIG-IP Solution SOL15863. The text description of this plugin is C F5 Networks. include"compat.inc"; if description scriptid80447; scriptversion"1.5";...

HackerOne: HTTPS is not enforced for objects stored by HackerOne on Amazon S3

SSL is not enforced for objects stored by HackerOne on Amazon S3. Currently I see all the screenshots uploaded are stored in Amazon S3 bucket "hackerone-attachments" and by default HTTPS connection is made. However even HTTP connections are open to these URLs indicating that SSL is not enforced b...

[SECURITY] Fedora 21 Update: curl-7.37.0-12.fc21

curl is a command line tool for transferring data with URL syntax, supporti ng FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, I MAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

AOL Advertising Network Abused to Distribute Malware

Security researchers have uncovered a malvertising campaign used to distribute malware to visitors of The Huffington Post website, as well as several other sites, through malicious advertisements served over the AOL advertising network. At the end of last year, Cyphort Labs, security firm...

Malvertising Campaign Hits AOL Ad Network, Leads to Exploit Kit

Researchers have detected a malvertising campaign running on a pair of sites owned by Huffington Post that is using ads distributed through an AOL ad network. The attack is sending victims through a series of redirects that eventually brings them to a landing page that is running an exploit kit...

Wifiphisher Wi-Fi Hacking Tool Automates Wi-Fi Phishing

A new Wi-Fi attack tool has been made available on GitHub that automates phishing attacks over WPA networks, putting credentials and other supposedly secret data at risk. The tool, called wifiphisher, jams Wi-Fi access points with deauthentication packets and then mimics the target access point...

Novell-File-Reporter

Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability 0day CVE-2012-4959 @abysssec well just one more of our 0day got published after 2 year here is info : https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959 and here...

[SECURITY] Fedora 19 Update: curl-7.29.0-27.fc19

curl is a command line tool for transferring data with URL syntax, supporti ng FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, I MAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

HTTP/HTTPs MITM Proxy and Traffic Recorder: Hyperfox

HTTP/HTTPs MITM Proxy and Traffic Recorder Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN Network Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key both provided by the user. If the targe...

AppsGeyser generates Android applications that fail to properly validate SSL certificates

Overview AppsGeyser generates applications that fail to properly validate SSL certificates. Description AppsGeyser is an online tool that generates Android applications. At the time of publication of this vulnerability note, the AppsGeyser website claims to have generated over 1.3 million Android...

MercadoPago Android App Information Disclosure

Advisory ID Internal CORE-2014-0011 1. Advisory Information Title: MercadoPago Android App Information Disclosure Advisory ID: CORE-2014-0011 Date published: 2014-12-19 Date of last update: 2014-12-17 Vendors contacted: Mercadolibre Release mode: Coordinated release 2. Vulnerability Information...

CVE-2014-6086

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not ensure that HTTPS is used, which allows remote attackers to obtain sensitive information by sniffing the network during an HTTP session...

Session fixation

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not ensure that HTTPS is used, which allows remote attackers to obtain sensitive information by sniffing the network during an HTTP session...

CVE-2014-6086

IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not ensure that HTTPS is used, which allows remote attackers to obtain sensitive information by sniffing the network during an HTTP session...

CVE-2014-6086

IBM Security Access Manager for Mobile 8.x (before 8.0.1) and IBM Security Access Manager for Web (7.x before 7.0.0 FP10, and 8.x before 8.0.1) fail to enforce HTTPS, enabling remote attackers to sniff HTTP sessions and obtain sensitive information. This vulnerability is documented as CVE-2014-60...

Google Adds Content Security Policy Support to Gmail

Google has added another layer of security for users of Gmail on the desktop, which now supports content security policy, a standard that’s designed to help mitigate cross-site scripting and other common Web-based attacks. CSP is a W3C standard that has been around for several years, and it’s bee...

Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015

Google is ready to give New Year gift to the Internet users, who are concerned about their privacy and security. The Chromium Project's security team has marked all HTTP web pages as insecure and is planning to explicitly and actively inform users that HTTP connections provide no data security...

Google Proposes Marking 'HTTP' as Insecure in 2015

The Chromium security team is devising a plan to explicitly and actively inform users that ‘HTTP’ connections provide no data security protections. Google’s grand vision is that some day, HTTPS will become so widespread and commonplace that secure connections can be unmarked in the way that HTTP...