Insufficient Entropy

Overview Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to...

RUSTSEC-2019-0032 crust repo has been archived; use libp2p instead

The crust crate repo was archived with no warning or explanation. Given that it was archived with no warning or successor, there's not an official replacement but rust-libp2p looks like it's got a similar feature set and is actively maintained...

crust repo has been archived; use libp2p instead

The crust crate repo was archived with no warning or explanation. Given that it was archived with no warning or successor, there's not an official replacement but rust-libp2p looks like it's got a similar feature set and is actively maintained...

Exploit for Path Traversal in Atutor

ATutor 2.2.4 Arbitrary File Upload / RCE CVE-2019-12169 - E...

CVE-2019-9748

Affected software: tinysvcmdns prior to 2018-01-16. Issue: processing a crafted mDNS packet can cause arbitrary data reads up to 16383 bytes from the buffer start, leading to a segmentation fault in uncompress_nlabel (mdns.c) and possible server crash, or disclosure of memory content via error me...

Directory Traversal in bitty

Affected versions of bitty are vulnerable to directory traversal via the URL path in GET requests. Recommendation The bitty package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is actively...

twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)

The seyhunak/twitter-bootstrap-rails gem includes a vendored version of the Bootstrap JavaScript library. In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. Al...

PT-2018-9474 · Hapi +1 · @Hapi/Cryptiles +1

Name of the Vulnerable Software and Affected Versions: Eran Hammer cryptiles versions 4.1.1 and earlier Description: The issue is related to insufficient entropy in the randomDigits method, which can result in an increased likelihood of brute force attacks. This attack appears to be exploitable...

Cross-Site Scripting in @risingstack/protect

All versions of @risingstack/protect are vulnerable to Cross-Site Scripting. The isXss XSS validator has several bypasses that may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation No fix is currently available. Consider using an alternative package. The packag...

Olive Diary DX vulnerable to cross-site scripting

Overview Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the page parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use Olive Diary DX Olive Diary DX is no longer being develop...

WEB SCHEDULE vulnerable to cross-site scripting

Overview WEB SCHEDULE provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the month parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use WEB SCHEDULE WEB SCHEDULE is no longer being developed or...

Olive Blog vulnerable to cross-site scripting

Overview Olive Blog provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the search parameter. Ueki Shuya reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact ...

RUSTSEC-2016-0006 `cassandra` crate is unmaintained; use `cassandra-cpp` instead

The cassandra crate has not seen a release since December 2016, and its author is unresponsive. The cassandra-cpp crate is a maintained fork: https://github.com/Metaswitch/cassandra-rs...

Simple keitai chat vulnerable to cross-site scripting

Overview Simple keitai chat provided by LEMON-S PHP contains reflected and stored cross-site scripting vulnerabilities CWE-79. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

Directory Traversal

Overview Affected versions of bitty are vulnerable to directory traversal via the URL path in GET requests. Recommendation The bitty package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is...

[SECURITY] Fedora 24 Update: irssi-0.8.20-2.fc24

Irssi is a modular IRC client with Perl scripting. Only text-mode frontend is currently supported. The GTK/GNOME frontend is no longer being maintained...

SetucoCMS vulnerable to cross-site request forgery

Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains cross-site request forgery vulnerability. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. and Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer unde...

SetucoCMS vulnerable to cross-site scripting

Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains cross-site scripting vulnerability. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. and Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

SetucoCMS vulnerable to SQL injection

Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains an SQL injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. Impact An arbitrary...

SetucoCMS vulnerable to denial-of-service (DoS)

Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains denial-of-service DoS vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. Impact A remot...