CVE-2018-15754: UAA issues tokens across identity providers if users with matching usernames exist | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions UAA all versions in v60.x, v61.x, v62.x, v63.x, v64.x Description Cloud Foundry UAA, all versions in v60.x, v61.x, v62.x, v63.x, and v64.x contain an authorization logic error. In environments with multip...

CVE-2018-18362

Norton Password Manager for Android formerly Norton Identity Safe may be susceptible to a cross site scripting XSS exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by...

Google Chrome Media Information Disclosure Vulnerability

Google Chrome is a web browser developed by Google, Inc.Media is one of the multimedia components. A security vulnerability exists in Media in versions of Google Chrome prior to 71.0.3578.80. A remote attacker can exploit this vulnerability to bypass the same-origin policy used for audio content...

CVE-2018-18352

Service works could inappropriately gain access to cross origin audio in Media in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass same origin policy for audio content via a crafted HTML page...

CVE-2018-16869

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases...

DEBIAN-CVE-2018-16869

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases...

DVWA Pro-test CSRF vulnerability-vulnerability warning-the black bar safety net

CSRF is a cross-site request forgery, i.e., a user at A site after login in the same client of the Site B using the vulnerability to get A site's Cookie and other authentication information, and forgery as legitimate identity request to A site. This article in the local environment, carry out the...

CVE-2018-19539

An issue was discovered in JasPer 2.0.14. There is an access violation in the function jasimagereadcmpt in libjasper/base/jasimage.c, leading to a denial of service...

UBUNTU-CVE-2018-19475

psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same...

Same Origin Policy Bypass

Plupload is vulnerable to same origin policy bypass. Overly permissive Flash allows scripts from any domain to be run, allowing remote attackers to bypass the same origin policy via crafted swf content...

Code Injection

valine is vulnerable to code injection. The vulnerability is possible because the EMBED tags are not validated to enforce same-origin policy, allowing the attacker to inject HTML combined with a .pdf file...

RHEL 7 : thunderbird (RHSA-2018:3458)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2018:3458 advisory. - Mozilla: Proxy bypass using automount and autofs CVE-2017-16541 - Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2...

USN-3807-1 network-manager vulnerability

Felix Wilhelm discovered that the NetworkManager internal DHCPv6 client incorrectly handled certain DHCPv6 messages. In non-default configurations where the internal DHCP client is enabled, an attacker on the same network could use this issue to cause NetworkManager to crash, resulting in a denia...

Mozilla: Same-origin policy violation using meta refresh and performance.getEntries to steal cross-origin URLs

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries. This is a same-origin policy violation and could allow for data theft. This vulnerability affects...

RHEL 6 : thunderbird (RHSA-2018:3403)

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2018:3403 advisory. - Mozilla: Proxy bypass using automount and autofs CVE-2017-16541 - Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2...

Mozilla: Same-origin policy violation using meta refresh and performance.getEntries to steal cross-origin URLs

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries. This is a same-origin policy violation and could allow for data theft. This vulnerability affects...

GHSA-X84V-XCM2-53PG Insufficiently Protected Credentials in Requests

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network...

CVE-2018-18483

The getcount function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service malloc called with the result of an integer-overflowing calculation or possibly have unspecified other impact via a crafted string, as demonstrated by...

CVE-2018-12370

In Reader View SameSite cookie protections are not checked on exiting. This allows for a payload to be triggered when Reader View is exited if loaded by a malicious site while Reader mode is active, bypassing CSRF protections. This vulnerability affects Firefox 61...

DEBIAN-CVE-2018-12364

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery CSRF attacks. This vulnerability affects Thunderbird 60,...