9387 matches found
CVE-2019-11388
Affected product: OWASP ModSecurity Core Rule Set (CRS) up to version 3.1.0. Vulnerable component: /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf, where a specially crafted string with nested repetition operators can cause a denial of service (ReDOS). Underlying cause: nested repetition operators...
CVE-2019-11387
An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with nested repetition operators...
CVE-2019-11387
An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with nested repetition operators...
PT-2019-12277 · Owasp +1 · Owasp Modsecurity Core Rule Set +1
Name of the Vulnerable Software and Affected Versions: OWASP ModSecurity Core Rule Set CRS versions through 3.1.0 Description: An issue was discovered that allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with $a at the beginning and nested...
PT-2019-12274 · Owasp +1 · Owasp Modsecurity Core Rule Set +1
Name of the Vulnerable Software and Affected Versions: OWASP ModSecurity Core Rule Set CRS versions through 3.1.0 Description: An issue was discovered in OWASP ModSecurity Core Rule Set CRS that allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with...
PT-2019-12276 · Owasp +1 · Owasp Modsecurity Core Rule Set +1
Name of the Vulnerable Software and Affected Versions: OWASP ModSecurity Core Rule Set CRS versions through 3.1.0 Description: An issue was discovered that allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with set error handler at the beginning and...
PT-2019-12275 · Owasp +1 · Owasp Modsecurity Core Rule Set +1
Name of the Vulnerable Software and Affected Versions: OWASP ModSecurity Core Rule Set CRS versions through 3.1.0 Description: An issue was discovered that allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with next at the beginning and nested...
USN-3914-2 ntfs-3g update
USN-3914-1 fixed vulnerabilities in NTFS-3G. As an additional hardening measure, this update removes the setuid bit from the ntfs-3g binary. Original advisory details: A heap buffer overflow was discovered in NTFS-3G when executing it with a relative mount point path that is too long. A local...
kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
A vulnerability was found in the fs/inode.c:inodeinitowner function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group an...
The vulnerability of the set_host_domain_name function in Cisco Linksys E1200 and Cisco Linksys E2500 router microprogramming systems allows a hacker to gain full control over the vulnerable device.
The vulnerability of the sethostdomainname function libshared.so in Cisco Linksys E1200 and Cisco Linksys E250 router microprogramming systems exists due to the lack of measures taken to neutralize the special elements used in the operating system command. Exploiting this vulnerability can allow ...
SUSE-SU-2019:0803-1 Security update for openssl
This update for openssl fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations bsc1117951 - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond...
The vulnerability of the SetIPv4FirewallSettings() function in the D-Link router’s software allows a hacker to execute arbitrary code.
The vulnerability of the SetIPv4FirewallSettings function in the D-Link router’s software interface is related to insufficient cleaning of input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...
The vulnerability of the SetStaticRouteIPv6Settings() function in D-Link’s router software allows a hacker to execute arbitrary code.
The vulnerability of the SetStaticRouteIPv6Settings function in D-Link’s microprogrammed router software is related to insufficient cleaning of input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...
snap - seccomp BBlacklist for TIOCSTI can be Circumvented
/ snap uses a seccomp filter to prevent the use of the TIOCSTI ioctl; in the source code, this filter is expressed as follows: TIOCSTI allows for faking input man ttyioctl TODO: this should be scaled back even more ioctl - !TIOCSTI In the X86-64 version of the compiled seccomp filter, this result...
CVE-2019-7440
JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings aka a SetWiFiSetting request to cgi-bin/qcmapwebcgi...
Linux: SGID files
When the SGID set group ID bit is set on an executable, it executes with the GID of the owner. This may be intended for some executables. Add files with SGID bit which should be allowed to have this bit set in the preference. This script checks if any other local files than the given have the SGI...
Linux: SUID files
When the SUID set user ID bit is set on an executable, it executes with the UID of the owner. This may be intended for some executables. Add files with SUID bit which should be allowed to have this bit set in the preference. This script checks if any other local files than the given have the SUID...
Unpatched Fujitsu Wireless Keyboard Bug Allows Keystroke Injection
UPDATE Fujitsu is stopping sales for its popular wireless keyboard after a researcher discovered it is vulnerable to keystroke injection attacks that could allow an adversary to take control of a victim’s system. Researchers with Germany-based SySS reported on Friday that the high-severity...
CVE-2019-5019
A heap-based overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro R1 7,0,2018,1113. While parsing Document Summary Property Set stream, the getSummaryInformation function is incorrectly checking the correlation betwe...
Key considerations for building vs. buying identity access management solutions
Time and time again, organizations learn the hard way that no matter which security solutions they have in place, if they haven’t properly secured the end user, their efforts can be easily rendered moot. The classic slip-up most often associated with end-user-turned-insider-threat is falling for ...