327 matches found
CVE-2023-26049 Cookie parsing of quoted values can exfiltrate values from other cookies in Eclipse Jetty
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double...
CVE-2023-26049
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double...
When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About
Multi-factor Authentication MFA has long ago become a standard security practice. With a wide consensus on its ability to fend off more than 99% percent of account takeover attacks, it's no wonder why security architects regard it as a must-have in their environments. However, what seems to be le...
Debian: Security Advisory (DLA-250-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
PT-2023-35493 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v4.14.306 Description: The issue is related to the usb bulk msg function in the Linux Kernel's USB subsystem. It involves passing act len in the error path, which may have potential security implications. The...
WordPress 'wp-cron.php' Accessible/Enabled (HTTP) - Active Check
The remote WordPress instance might have a default setup of SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress";...
K85235351: cURL and libcurl vulnerability CVE-2016-8624
Security Advisory Description curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL...
TD Bank: Reflected XSS on marketsandresearch.td.com
Summary: Hi TD security team, there is a reflected XSS vulnerability at http://marketsandresearch.td.com. As you are most likely aware, XSS vulnerabilities can have significant security implications, including allowing an attacker to inject malicious JS code into the application, which is then...
PT-2023-34728 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions 2.6.30 through 4.9.336 Description: A possible memory leak issue was identified, which may have potential security implications. The issue was introduced in version 2.6.30 and is fixed in version 4.9.337. Recommendations...
PT-2023-33151 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v6.0.12 Description: The issue concerns the removal of used dynamic events, which may lead to security implications. The actual impact and attack plausibility have not yet been proven. Recommendations: For Linux...
PT-2023-33318 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.10.158 Description: The issue concerns the removal of used dynamic events, which may lead to the freeing of buffers. This could potentially have security implications, although the actual impact and attack...
PT-2023-33373 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.4.226 Description: The issue concerns the removal of used dynamic events, which may lead to security implications. The actual impact and attack plausibility have not yet been proven. Recommendations: For Linu...
PT-2023-33919 · Linux · Linux Kernel
Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v6.0.16 Description: A possible memory leak issue was discovered, which may have potential security implications. The issue was introduced in version v2.6.30 and is fixed in Linux Kernel version v6.0.16...
CVE-2020-36643
...
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...
GHSA-VP35-85Q5-9F25 Container build can leak any path on the host into the container
Description Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime formerly Docker EE, and Docker Desktop. Moby allows for building container images using a set of build...
Container build can leak any path on the host into the container
Description Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime formerly Docker EE, and Docker Desktop. Moby allows for building container images using a set of build...
CVE-2020-35536
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none...
Event-Driven Architectures & the Security Implications
This article explores event-driven architecture EDA with a detailed definition and explains how EDA offers many essential benefits to developers. It concludes with an outline of some best practices for mitigating security concerns...
Who Has Control: The SaaS App Admin Paradox
Imagine this: a company-wide lockout to the company CRM, like Salesforce, because the organization's external admin attempts to disable MFA for themselves. They don't think to consult with the security team and don't consider the security implications, only the ease which they need for their team...