Stripo Inc: SSL cookie without secure flag set

Issue background If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then t...

The vulnerability in the implementation of the interaction protocol between the “ARM Reliezer” software and the “Server Communication” software of the EKRASMS-SP software suite allows a perpetrator to recover the password.

The vulnerability of the implementation of the interaction protocol between the “ARM Reliezer” software and the “Server Communication” software of the EKRASMS-SP suite lies in the absence of a hashing mechanism, as well as the presence of pre-set authentication data used for encrypting passwords...

CVE-2019-5642

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to...

CVE-2019-5642

CVE-2019-5642 affects Rapid7 Metasploit Pro (versions 4.16.0-2019081901 and earlier). The issue is CWE-732: during installation, the web server SSL server.key is written to the filesystem with world-readable permissions, enabling other local users to intercept private communications to the Metasp...

CVE-2019-5642 MAGICK

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to...

Man-in-the-Middle (MitM)

airtable is vulnerable to man-in-the-middle attacks. SSL certificate validation is disabled by default in the package, allowing remote attackers within the network to intercept, sniff and modify network traffic...

containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launc...

China-Linked Hackers Spy on Texts With MessageTap Malware

Researchers have discovered a new malware used for cyber-espionage efforts by China-linked threat group APT41. The malware intercepts telecom SMS server traffic and sniffs out certain phone numbers and SMS messages – particularly those with keywords relating to Chinese political dissidents. The...

Chinese Hackers Compromise Telecom Servers to Spy on SMS Messages

A group of Chinese hackers carrying out political espionage for Beijing has been found targeting telecommunications companies with a new piece of malware designed to spy on text messages sent or received by highly targeted individuals. Dubbed "MessageTap," the backdoor malware is a 64-bit ELF dat...

The vulnerability of the ZingBox Inspector, a network traffic handler, arises due to the failure to take measures to neutralize special elements. This vulnerability allows a violator to unauthorizedly intercept and modify software update packets.

The vulnerability of the ZingBox Inspector network traffic handler exists because special elements are not properly neutralized. Exploiting this vulnerability allows a malicious actor to intercept and modify software update packets remotely and without authorization...

CVE-2019-5537

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance 6.7 before 6.7u3a and 6.5 before 6.5u3d may allow a malicious actor to intercept sensitive data in transit over FTP...

CVE-2019-5537

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance 6.7 before 6.7u3a and 6.5 before 6.5u3d may allow a malicious actor to intercept sensitive data in transit over FTP...

Information disclosure

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance 6.7 before 6.7u3a and 6.5 before 6.5u3d may allow a malicious actor to intercept sensitive data in transit over SCP...

CVE-2019-5538

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance 6.7 before 6.7u3a and 6.5 before 6.5u3d may allow a malicious actor to intercept sensitive data in transit over SCP...

Ping Identity: Google Maps API key leaked during device pairing

Summary: just on intercepting and going through the request i made from ort-admin.pingone.com . i found that the google map api key was leaking through get request . i was able to validate that the leaked key was a valid one Steps To Reproduce: 1.login to account goto setup tab ping iD device...

CVE-2019-5537

Vulnerability: CVE-2019-5537 affects VMware vCenter Server Appliance 6.7 (before 6.7u3a) and 6.5 (before 6.5u3d), arising from lack of certificate validation in File-Based Backup and Restore, enabling an MITM attacker to intercept data in transit over FTPS/HTTPS. Connected advisory VMSA-2019-0018...

Unspecified Vulnerability in Cobham plc EXPLORER 710

The Cobham plc EXPLORER 710 is a portable satellite terminal from Cobham plc, UK. It provides features such as satellite communications and Internet access. A security vulnerability exists in the Cobham plc EXPLORER 710 using firmware version 1.07, which originates from the program not validating...

About the security content of watchOS 4.3.1 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, se...

About the security content of tvOS 11.4 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, se...

Default configuration

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service...