PT-2023-21170 · Npm · @Fastify/Csrf-Protection

Name of the Vulnerable Software and Affected Versions: @fastify/csrf-protection versions prior to 4.1.0 @fastify/csrf-protection versions prior to 6.3.0 Description: The CSRF protection mechanism in the @fastify/csrf-protection library can be bypassed by network and same-site attackers under...

FreeBSD : py-suds -- vulnerable to symlink attacks (b31f7029-817c-4c1f-b7d3-252de5283393)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the b31f7029-817c-4c1f-b7d3-252de5283393 advisory. - cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and...

Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack

Exploit Title: Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production...

Attached files under salaries module can be harvested by unauthenticated users

Description File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path /assets/FileUploads/2022/staff2/ and the predictable filename contains date YYYY-MM-DD and a random 6 digit number which can be easily enumerated by...

CVE-2022-46397

FP.io VPP Vector Packet Processor 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode...

CVE-2022-46397

FP.io VPP Vector Packet Processor 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode...

Authorization

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product...

CVE-2023-28395 CVE-2023-28395

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product...

CVE-2022-46397

FP.io VPP Vector Packet Processor 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode...

CVE-2022-46397

FP.io VPP Vector Packet Processor 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode...

FDio VPP 安全漏洞

FDio VPP is a fast, scalable Layer 2-4 multiplatform networking stack from FDio. A security vulnerability exists in FDio VPP that stems from the use of CBC mode to generate predictable IVs.The following products and versions are affected:FP.io VPP versions 22.10, 22.06, 22.02, 21.10, 21.06, 21.01...

PT-2023-14929 · Fp.Io · Fp.Io Vpp

Name of the Vulnerable Software and Affected Versions: FP.io VPP Vector Packet Processor versions 19.04 through 22.10 Description: The issue is related to the generation of a predictable IV with CBC mode. This affects a wide range of versions of the FP.io VPP Vector Packet Processor...

Tridium Niagara AX Improper Authentication (CVE-2012-3024)

Tridium Niagara AX Framework through 3.6 uses predictable values for 1 session IDs and 2 keys, which might allow remote attackers to bypass authentication via a brute-force attack. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more informatio...

Schneider (CVE-2017-6028)

An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials...

Schneider Electric Modicon M221 Programmable Logic Controller Use of a One-Way Hash with a Predictable Salt (CVE-2020-28214)

A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 all references, all versions, that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictab...

Schneider (CVE-2017-6030)

A predictable value range from previous values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected...

Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijacking Vulnerabilities

Osprey Pump Controller version 1.0.1 has an ELF binary called MirageCreateSessionCode.x that contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploitin...

Osprey Pump Controller 1.0.1 Predictable Session Token / Session Hijack

Summary Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motor...

K8874: OpenSSL packages contain a predictable random number generator - VU#925211

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

K03710547: Linux RPM vulnerability CVE-2017-7501

Security Advisory Description It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content...