GHSA-7WW4-C3MJ-93CF Downloads Resources over HTTP in pm2-kafka

Affected versions of pm2-kafka insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syst...

Downloads Resources over HTTP in windows-latestchromedriver

Affected versions of windows-latestchromedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Downloads Resources over HTTP in roslib-socketio

Affected versions of roslib-socketio insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

GHSA-72Q2-5RXX-XFFF gfe-sass downloads Resources over HTTP

Affected versions of gfe-sass insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syste...

GHSA-J9Q7-3RHF-4PPV windows-selenium-chromedriver downloads Resources over HTTP

Affected versions of windows-selenium-chromedriver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

GHSA-9CHW-XRWX-F86J frames-compiler downloads Resources over HTTP

Affected versions of frames-compiler insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

Shopify: Disclose STUFF member name and make actions.

Hello Shopify Security Team! Bug Summary: ============= Based on the report 968165, this also can retrieve the STUFF member name and can send messages using his name. Reproduction steps: ============= - install shopify chat applications. Start Exploit 1 : ============= + Go to targeted store : +...

Authorization

IBM Security Guardium Data Encryption GDE 3.0.0.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...

CVE-2020-24661

GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates e.g., self-signed certificates when the client system is not configured to use a system-provided PKCS11 store. This allows a meddler in the middle to present a...

CVE-2020-24661

CVE-2020-24661 affects GNOME Geary prior to 3.36.3. The issue stems from mishandling of pinned TLS certificate verification for IMAP/SMTP when the client is not configured to use a system PKCS#11 store, allowing a MITM to present an invalid certificate and intercept mail. Public sources in the co...

CVE-2020-24661

GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates e.g., self-signed certificates when the client system is not configured to use a system-provided PKCS11 store. This allows a meddler in the middle to present a...

Malicious Package

MintegralAdSDK is a malicious package. The package performs malicious functionalities such as tracking any URL opened by the app, intercepting and hijacking a user ad-click and activity, sending logs to third-party server and performing advertisement attribution fraud regardless of serving ad is...

CVE-2020-9062

Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting an...

Design/Logic Flaw

Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting an...

CVE-2020-9062

Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the CCDM and the host computer, allowing an attacker with physical access to internal ATM components to commit deposit forgery by intercepting an...

CVE-2019-5591

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server...

Default configuration

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server...

CVE-2019-5591

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server...

Acronis: Cross Origin Resource Sharing Misconfiguration

Description :- Cross-Origin Resource Sharing CORS is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. The CORS mechanism supports secure cross-origin requests and data transfers...

ReVoLTE Attack Allows Hackers to Listen in on Mobile Calls

Researchers have discovered an attack on the Voice over LTE VoLTE mobile communications protocol that can break its encryption and allow attackers to listen in on phone calls. Dubbed ReVoLTE, the attack — detailed by a group of academic researchers from Ruhr University Bochum and New York...