CVE-2017-7667

Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin...

CVE-2017-7667

CVE-2017-7667 affects Apache NiFi versions prior to 0.7.4 and 1.x prior to 1.3.0. The issue is an Origin Validation/Framing problem where NiFi did not set a suitable X-Frame-Options header, leaving the application vulnerable to cross-frame framing attacks. Connected advisories (GHSA/JQ99, CNVD/CN...

Cross-site Scripting (XSS)

nifi-jetty is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute arbitrary JavaScript because the library does have the sufficient response headers to only allow framing from the same origin...

CVE-2016-7830

Sony PCS-XG100, PCS-XG100S, PCS-XG100C, PCS-XG77, PCS-XG77S, PCS-XG77C devices with firmware versions prior to Ver.1.51 and PCS-XC1 devices with firmware version prior to Ver.1.22 allow an attacker on the same network segment to bypass authentication to perform administrative operations via...

WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)

When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins ... String url = this-url; ... if !allowedToLoadFrameURLurl return;...

WebKit HTMLObjectElement::updateWidget Universal XSS

WebKit: UXSS through HTMLObjectElement::updateWidget CVE-2017-2493 When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins...

CVE-2017-8793

An issue was discovered on Accellion FTA devices before FTA912180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site...

Design/Logic Flaw

An issue was discovered on Accellion FTA devices before FTA912180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site...

CVE-2017-8793

An issue was discovered on Accellion FTA devices before FTA912180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site...

CVE-2017-8793

An issue was discovered on Accellion FTA devices before FTA912180. By sending a POST request to home/seos/courier/web/wmProgressstat.html.php with an attacker domain in the acallow parameter, the device will respond with an Access-Control-Allow-Origin header allowing the attacker to have site...

CVE-2017-8793

CVE-2017-8793 affects Accellion FTA devices prior to FTA_9_12_180. A POST to home/seos/courier/web/wmProgressstat.html.php with an attacker-controlled acallow parameter can trigger an Access-Control-Allow-Origin header, bypassing Same-Origin Policy and granting the attacker site access. Severity ...

Cross-site Request Forgery (CSRF)

github.com/ant0ine/go-json-rest is vulnerable to cross-site request forgery. A malicious user can communicate with an JSONP endpoint using a SWF OBJECT to bypass the Same Origin Policy...

[ASA-201704-9] webkit2gtk: multiple issues

Arch Linux Security Advisory ASA-201704-9 ========================================= Severity: Critical Date : 2017-04-28 CVE-ID : CVE-2016-9642 CVE-2016-9643 CVE-2017-2367 CVE-2017-2376 CVE-2017-2377 CVE-2017-2386 CVE-2017-2392 CVE-2017-2394 CVE-2017-2395 CVE-2017-2396 CVE-2017-2405 CVE-2017-2415...

Google Chrome < 58.0.3029.81 Multiple Vulnerabilities

Binary data 700067.pasl...

Chrome Universal XSS using plugin objects (CVE-2015-6772)

VULNERABILITY DETAILS This is a regression from issue 524120. Now that the widget updates are deferred until after the frame is detached from the document and beyond the lifetime of ScriptForbiddenScope, too, it is possible to attach another document to the frame before a new document is installe...

Google Chrome < 58.0.3029.81 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 58.0.3029.81. It is, therefore, affected by multiple vulnerabilities as referenced in the 201704stable-channel-update-for-desktop advisory. - Incorrect handling of DOM changes in Blink in Google Chrome prior to 58.0.3029....

Google Chrome < 58.0.3029.81 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 58.0.3029.81. It is, therefore, affected by multiple vulnerabilities as referenced in the 201704stable-channel-update-for-desktop advisory. - Incorrect handling of DOM changes in Blink in Google Chrome prior to...

CVE-2016-5168

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information...

CVE-2016-5168

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information...

Information disclosure

Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information...