35 matches found
php: host/secure cookie bypass due to partial CVE-2022-31629 fix
An improper input validation vulnerability was found in PHP. Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser...
Azure Linux 3.0 Security Update: php (CVE-2024-2756)
The version of php installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-2756 advisory. - Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and...
BIT-PHP-MIN-2024-2756 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...
php: host/secure cookie bypass due to partial CVE-2022-31629 fix
An improper input validation vulnerability was found in PHP. Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser...
php: host/secure cookie bypass due to partial CVE-2022-31629 fix
An improper input validation vulnerability was found in PHP. Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser...
BIT-PHP-2024-2756 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...
Debian dla-3810 : libapache2-mod-php7.3 - security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3810 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3810-1 [email protected]...
CVE-2024-2756
The connected advisories confirm CVE-2024-2756 describes a host/secure cookie bypass resulting from an incomplete fix to CVE-2022-31629 in PHP. Affected PHP versions include Astra Linux’s note: pre-7.4.31, pre-8.0.24, and pre-8.1.11 are vulnerable. Other advisories (ALAS and AlmaLinux) reiterate ...
CVE-2024-2756 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...
CVE-2024-2756
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...
CVE-2024-2756
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...
Fedora 38 : php (2024-39d50cc975)
The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-39d50cc975 advisory. PHP version 8.2.18 11 Apr 2024 Core: Fixed bug GH-13612 Corrupted memory in destructor with weak references. nielsdos Fixed bug GH-13784...
Slackware Linux 15.0 / current php81 Multiple Vulnerabilities (SSA:2024-103-01)
The version of php81 installed on the remote host is prior to 8.1.28 / 8.3.6. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-103-01 advisory. - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set ...
Oracle Linux 8 : php:7.4 (ELSA-2023-2903)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2903 advisory. - CVE-2015-2331: integer overflow when processing ZIP archives 1204676,1204677 - fixes for CVE-2012-1162 and CVE-2012-1163 - fix: due to an integer...
Cross-site Request Forgery (CSRF)
@fastify/passport is vulnerable to Cross-site Request Forgery CSRF. When a user logs in, the library doesn't remove the session object, keeping the csrf property in tact across unauthenticated and authorized sessions. CSRF tokens created prior to authentication are therefore still valid. Thus,...
Session fixation
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation...
GHSA-4M3M-PPVX-XGW9 Session fixation in fastify-passport
Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. Details fastify applications rely on the @fastify/passport library fo...
Session fixation in fastify-passport
Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. Details fastify applications rely on the @fastify/passport library fo...
CSRF token fixation in fastify-passport
The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. Details fastify/csrf-protection implements the synchronizer token pattern using plugins @fastify/session and @fastify/secure-session by...
CVE-2023-29020 Cross site request forgery token fixation in fastify-passport
@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF Cross-Site Request Forger protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers...