SUSE-SU-2023:2077-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.38.6 bsc1210731: - CVE-2022-0108: Fixed information leak. - CVE-2022-32885: Fixed arbitrary code execution. - CVE-2023-25358: Fixed use-after-free vulnerability in WebCore::RenderLayer. - CVE-2023-27932: Fixed Same Origin...

Cross-site Request Forgery (CSRF)

@fastify/passport is vulnerable to Cross-site Request Forgery CSRF. When a user logs in, the library doesn't remove the session object, keeping the csrf property in tact across unauthenticated and authorized sessions. CSRF tokens created prior to authentication are therefore still valid. Thus,...

SUSE-SU-2023:2056-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.38.6 bsc1210731: - CVE-2022-0108: Fixed information leak. - CVE-2022-32885: Fixed arbitrary code execution. - CVE-2023-25358: Fixed use-after-free vulnerability in WebCore::RenderLayer. - CVE-2023-27932: Fixed Same Origin...

SUSE CVE-2023-27932

This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy...

CVE-2023-27932

This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy...

UBUNTU-CVE-2023-27932

This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, tvOS 16.4, watchOS 9.4. Processing maliciously crafted web content may bypass Same Origin Policy...

CVE-2023-29020

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF Cross-Site Request Forger protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers...

Session fixation

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Applications using @fastify/passport in affected versions for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation...

Session fixation in fastify-passport

Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. Details fastify applications rely on the @fastify/passport library fo...

GHSA-4M3M-PPVX-XGW9 Session fixation in fastify-passport

Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. Details fastify applications rely on the @fastify/passport library fo...

CSRF token fixation in fastify-passport

The CSRF protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport, can be bypassed by network and same-site attackers. Details fastify/csrf-protection implements the synchronizer token pattern using plugins @fastify/session and @fastify/secure-session by...

CVE-2023-29020

CVE-2023-29020 describes a CSRF token fixation flaw in the interaction between @fastify/passport and @fastify/csrf-protection. The issue arises because @fastify/passport does not clear the user session on login, allowing the _csrf token generated before authentication to remain valid across unaut...

CVE-2023-29020 Cross site request forgery token fixation in fastify-passport

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. The CSRF Cross-Site Request Forger protection enforced by the @fastify/csrf-protection library, when combined with @fastify/passport in affected versions, can be bypassed by network and same-site attackers...

GHSA-QRGF-9GPC-VRXW Bypass of CSRF protection in the presence of predictable userInfo

Description The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions. @fastify/csrf-protection supports an optional userInfo parameter that binds the CSRF token to the use...

CVE-2023-27495

@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions...

CVE-2023-27495 Bypass of CSRF protection in the presence of predictable userInfo in @fastify/csrf-protection

@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions...

Open Networking Foundation ONOS 安全漏洞

Open Networking Foundation ONOS is an open source SDN controller from Open Networking Foundation open source. It is used to build next-generation SDN/NFV solutions. A security vulnerability exists in Open Networking Foundation ONOS version 2.5.1, which stems from Intents with the same source and...

PT-2023-12982 · Onos · Onos

Name of the Vulnerable Software and Affected Versions: ONOS version 2.5.1 Description: An issue was discovered in ONOS where modification of an existing intent to have the same source and destination shows the INSTALLED state without any flow rule. This improper handling of such an intent is...

PT-2023-12984 · Onos · Onos

Name of the Vulnerable Software and Affected Versions: ONOS version 2.5.1 Description: An issue was discovered in ONOS where an intent with the same source and destination shows the INSTALLING state, indicating that its flow rules are installing. Improper handling of such an intent is misleading ...

PT-2023-22082 · Sveltekit · Sveltekit

Name of the Vulnerable Software and Affected Versions: SvelteKit versions prior to 1.15.2 Description: The SvelteKit framework provides out-of-the-box cross-site request forgery CSRF protection. However, this protection can be bypassed in versions prior to 1.15.2 by specifying an upper-cased...