19 matches found
EUVD-2021-1444
Malware in sbrugna...
EUVD-2022-0829
Malicious code in bioql PyPI...
CVE-2025-59432 Timing Attack Vulnerability in SCRAM Authentication
SCRAM Salted Challenge Response Authentication Mechanism is part of the family of Simple Authentication and Security Layer SASL, RFC 4422 authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals...
CVE-2022-23655
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...
CVE-2021-32738
js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the...
ID4me does not validate signature or expiration
None...
PT-2023-9800 · Asyncssh +3 · Asyncssh +3
Name of the Vulnerable Software and Affected Versions: AsyncSSH versions prior to 2.14.1 Description: The issue in AsyncSSH allows attackers to control the extension info message via a man-in-the-middle attack, enabling them to conduct algorithm downgrade attacks during user authentication. This...
EUVD-2023-54518
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE...
Input validation
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...
CVE-2022-23655 Missing server signature validation in OctoberCMS
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...
CVE-2022-23655 Missing server signature validation in OctoberCMS
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...
Utils.readChallengeTx does not verify the server account signature
The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. The function does not verify that the server has signed...
CVE-2021-32738 Utils.readChallengeTx does not verify the server account signature
js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the...
CVE-2021-32738
CVE-2021-32738 affects the js-stellar-sdk library used to interact with Stellar Horizon. The vulnerability lies in Utils.readChallengeTx, which, before version 8.2.3, did not verify that the server signature was present on the challenge transaction; however, signature verification via Utils.verif...
SQL Server Reporting Services (SSRS) ViewState Deserialization
A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server. This module...
SUSE-SU-2016:0189-1 Security update for mozilla-nss
This update contains mozilla-nss 3.19.2.2 and fixes the following security issue: - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature bsc959888...
Nmap NSE 6.01: smb-os-discovery
Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol ports 445 or 139. This is done by starting a session with the anonymous account or with a proper user account, if one is given; it likely doesn't make a difference; in response to ...
Apple Filing Protocol Info Enumerator
This module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class...
Apache 2 Cross-Site Scripting
This is being submitted without an update to Apache, but I am expecting an Apache Update Announcement shortly. The CVE has already assigned a candidate to this it is currently reserved, and CERT has assigned VU240329, but has not created a write-up yet. The reason for the ugly mail2web .sig is...