Amazon Linux AMI : rubygems (ALAS-2012-79)

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amaz...

Amazon Linux AMI : ca-certificates (ALAS-2011-03)

This update includes the latest updates to the root Certificate Authority list from Mozilla. It was found that a Certificate Authority CA issued fraudulent HTTPS certificates. This update removes that CA's root certificate from the ca-certificates package, rendering any HTTPS certificates signed ...

Amazon Linux AMI : perl-libwww-perl (ALAS-2011-17)

The Net::HTTPS module in libwww-perl LWP before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof...

Firefox Extension HTTP Nowhere Allows Users to Surf in Encrypted-Only Mode

It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure...

Obehotel CMS SQL Injection Vulnerability

Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities. OBEHOTEL Spanish CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post I-VULNERABILITY...

Obehotel CMS Denial Of Service / SQL Injection

OBEHOTEL Spanish CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post I-VULNERABILITY ------------------------- Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing /...

Debian DSA-2740-2 : python-django - XSS vulnerability

Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The issafeurl utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed...

[SECURITY] [DSA 2740-1] python-django security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2740-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2013 http://www.debian.org/security/faq -...

Debian Security Advisory DSA 2740-2 (python-django - cross-site scripting vulnerability)

Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The issafeurl utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

Session fixation

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

Fedora Update for fontmatrix FEDORA-2013-13523

Check for the Version of fontmatrix OpenVAS Vulnerability Test Fedora Update for fontmatrix FEDORA-2013-13523 Authors: System Generated Check Copyright: Copyright c 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under...

Fedora Update for kernel FEDORA-2013-12901

Check for the Version of kernel OpenVAS Vulnerability Test Fedora Update for kernel FEDORA-2013-12901 Authors: System Generated Check Copyright: Copyright c 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under the ter...

Scanning the Internet in 45 Minutes

The Internet is a big thing. Or, more accurately, a big collection of things. Figuring out exactly how many things, and what vulnerabilities those things contain has always been a challenge for researchers, but a new tool released by a group from the University of Michigan that is capable of...

New Jigsaw Hacking Tool Spotted in Attacks

If you’ve run an internal phishing exercise, chances are you may have used Jigsaw, an open source penetration testing tool that enables security teams to automatically generate email address combinations from a minimal amount of public information. As with other open source security and networkin...

Fedora Update for chrony FEDORA-2013-14539

Check for the Version of chrony OpenVAS Vulnerability Test Fedora Update for chrony FEDORA-2013-14539 Authors: System Generated Check Copyright: Copyright c 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it under the ter...

CVE-2013-3454

Cisco TelePresence System Software 1.10.1 and earlier on 500, 13X0, 1X00, 30X0, and 3X00 devices, and 6.0.3 and earlier on TX 9X00 devices, has a default password for the pwrecovery account, which makes it easier for remote attackers to modify the configuration or perform arbitrary actions via...