CVE-2021-32050 Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may...

CVE-2021-32050 Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may...

MongoDB Driver may publish events containing authentication-related data

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may...

Remote Code Execution

@keystone-6/core is vulnerable to remote code execution. The use of NODEENV not in dependencies triggers the security-sensitive functionality in a production build, which makes it vulnerable to NODEENV being inlined to development for user code...

@keystone-6/core's NODE_ENV defaults to development with esbuild

Impact @keystone-6/[email protected] || 3.0.1 users that use NODEENV in their own code not dependencies to trigger security-sensitive functionality in a production build are vulnerable to NODEENV being inlined to "development" for user code. If your dependencies use NODEENV to trigger particular...

CVE-2022-39382 NODE_ENV in Keystone defaults to development with esbuild

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/[email protected] || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what your...

Mechanize before v2.8.5 vulnerable to authorization header leak on port redirect

Summary Mechanize rubygem Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a...

MongoDB C# Driver Risk of Exposing Authentication Data via Command Listener

Specific versions of the MongoDB C Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser",...

Samsung Screwed Up Encryption on 100M Phones

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21. Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the...

in yiisoft/yii2

✍️ Description Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates weak random numbers is mtrand in BaseMailer.php at line 346. 🕵️‍♂️ Proof of Concept ?php echo...

RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

Impact A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be. Small values of int in the functions above will return a smaller subs...

RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be...

CVE-2021-20331

Specific versions of the MongoDB C Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser",...

CVE-2021-20331 MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application

Specific versions of the MongoDB C Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser",...

CVE-2021-27437

The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM versions prior to...

CVE-2021-28168

Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are...

AppSec concerns: UUID generation

During static analysis, one of the things the application security team checks for is strong random number generation for security sensitive contexts. We see weaknesses in this space quite often for temporary passwords and session identifiers, but an increasingly common variant is for universally...

CVE-2020-17521

A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality. Mitigation Setting the...

Doppler VDP: Stored XSS in [https://dashboard.doppler.com/workplace/*/logs] pages

Summary: I have found a stored XSS vulnerability in the following config setting page. https://dashboard.doppler.com/workplace//projects/example-project/configs/dev/logs When you invite other users to the workspace, the xss could be used to exploit other users also. Steps To Reproduce: 1 . Visit...

PT-2020-7001

Name of the Vulnerable Software and Affected Versions Samba affected versions not specified Description A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including...