httpd: Padding Oracle in Apache mod_session_crypto

It was discovered that the modsessioncrypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack...

Security Bypass Vulnerability in Security Component of Multiple Apple Products

Apple macOS Sierra, iOS, and tvOS are products of Apple Inc. macOS Sierra is a specialized operating system for Mac computers; iOS is an operating system for mobile devices. security is one of the information security and privacy components. A security vulnerability exists in the Security compone...

Open Redirect

Apache jUDDI is vulnerable to open redirect attacks. There is a flaw which leads the logout jsp page to redirect to the login page after logging out of the portal. Therefore, a malicious user can use the flaw to redirect to an unintended web page. This would be done after the clearing of user...

McAfee Network Data Loss Prevention Cross-Site Scripting Vulnerability (CNVD-2017-07553)

McAfee Network Data Loss Prevention is a data leakage protection solution. McAfee Network Data Loss Prevention NDLP suffers from a cross-site scripting vulnerability in the server implementation, which can be exploited by remote attackers to view session and cookie information by modifying HTTP...

Wordpress EELV Newsletter Cross-Site Scripting Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability in the s value of the Wordpress EELV Newsletter page allows remote attackers to exploit...

openSUSE Security Update : libressl (openSUSE-2017-561)

This update for libressl to version 2.5.1 fixes the following issues : These security issues were fixed : - CVE-2016-0702: Prevent side channel attack on modular exponentiation boo968050. - CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing...

openSUSE Security Update : libressl (openSUSE-2017-560)

This update for libressl to version 2.5.1 fixes the following issues : These security issues were fixed : - CVE-2016-0702: Prevent side channel attack on modular exponentiation boo968050. - CVE-2016-7056: Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing...

httpd: Padding Oracle in Apache mod_session_crypto

It was discovered that the modsessioncrypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack...

CVE-2016-4869

Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed...

Scientific Linux Security Update : httpd on SL7.x x86_64 (20170412)

Security Fixes : - It was discovered that the modsessioncrypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack...

httpd: Padding Oracle in Apache mod_session_crypto

It was discovered that the modsessioncrypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack...

CVE-2017-6356

Palo Alto Networks Terminal Services aka TS Agent 6.0, 7.0, and 8.0 before 8.0.1 uses weak permissions for unspecified resources, which allows attackers to obtain sensitive session information via unknown vectors...

F5 Networks BIG-IP : PHP vulnerability (K35232053)

ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection. CVE-2016-7125 C...

Apache-mod_session_crypto module in the Padding Oracle vulnerability analysis-vulnerability warning-the black bar safety net

Recently, security researchers at theWeb serverApache modsessioncrypto module found a Padding Oracle vulnerability. An attacker can exploit this vulnerability to decrypt the session data, and even can be used to specify the data to be encrypted. Vulnerability details Product: Apache HTTP Server...

Unspecified Vulnerability in Apache HTTP Server

Apache httpd is the U.S. Apache Apache Software Foundation, an open source HTTP server developed and maintained specifically for modern operating systems. A security vulnerability exists in Apache httpd, which stems from the program's failure to properly parse HTTP headers. A remote attacker coul...

Apache mod_session_crypto - Padding Oracle Vulnerability

Apache modsessioncrypto versions 2.3 through 2.5 suffer form a padding oracle vulnerability. Padding Oracle in Apache modsessioncrypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in modsessioncrypto of the Apache web server. This vulnerability can be...

Design/Logic Flaw

An issue was discovered in components/comusers/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and...

CVE-2016-9838

An issue was discovered in components/comusers/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and...

SAP NetWeaver AS JAVA 7.3 AS JAVA XSS in ctcprotocol/Protocol servlet

Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.3 Vendor URL: SAP Bugs: XXS Reported: 13.12.2016 Vendor response: 14.12.2016 Date of Public Advisory: 11.04.2017 Reference: SAP Security Note 2406783 Author: Vahagn Vardanyan ERPScan VULNERABILITY INFORMATION Class: XSS...

Cybozu Office Information Disclosure Vulnerability (CNVD-2016-08628)

Cybozu Office is a Web-based, cross-platform collaboration solution from Cybozu. An information disclosure vulnerability exists in Cybozu Office versions 9.0.0 through 10.4.0. A remote attacker can exploit this vulnerability to obtain user session information...