Lucene search
+L

673 matches found

Hacker One
Hacker One
added 2015/05/20 7:16 p.m.29 views

Ruby on Rails: Changeable model ids on vanilla update can lead to severely bad side-effects

Proof of concept User.find1.update!id: 1701 But strong params! Disagree. There are cases where less experienced users will allow "id" as a param for a subnested resource and then copy and past that code into that subnested resource's own controller, forgetting to remove the "id". I consider this...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/04/15 1:16 p.m.13 views

PCI DSS version 3.1 released!

As expected, a "minor" revision to the PCI DSS 3.0 standard now version 3.1 was released by the PCI SSC today to address the vulnerabilities exposed by the POODLE and BEAST browser attacks. PCI DSS 3.1 primarily addresses the insecure use of SSL as an encryption protocol within a Cardholder Data...

1.8AI score
Exploits0
CERT
CERT
added 2015/04/13 12:0 a.m.109 views

Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL

Overview Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file:// protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user's credentials...

7.4CVSS8AI score0.04478EPSS
Exploits1References15
The Coalfire Blog
The Coalfire Blog
added 2015/02/19 12:46 p.m.18 views

What does PCI DSS 3.1 and PA-DSS 3.1 mean for you and your organization

In the wake of the POODLE vulnerability identified by NIST and subsequent attacks, the PCI SSC has announced its intent to release the first revision of the PCI DSS 3.0 and PA-DSS 3.0 standards. The PCI DSS 3.1 and PA-DSS 3.1 standards will indicate that the SSL v3.0 protocol no longer meets the...

1.1AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2015/01/23 12:0 a.m.59 views

Default Password (passw0rd) for 'superuser' Account

The account 'superuser' on the remote host has the password 'passw0rd'. An attacker can leverage this issue to gain administrative access to the affected system. Note that IBM Storwize devices are known to use these credentials to provide administrative access to the device. %NASLMINLEVEL 70300 C...

7.5CVSS8.3AI score0.53618EPSS
Exploits41References1
Tenable Nessus
Tenable Nessus
added 2014/12/22 12:0 a.m.108 views

Default Password (abc123) for 'admin' Account

The account 'admin' on the remote host has the default password 'abc123'. An attacker can leverage this issue to gain full access to the affected system. Note that Junos Space is known to use these credentials by default. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. account = "admin";...

7.5CVSS8.3AI score0.53618EPSS
Exploits41References2
erpscan
erpscan
added 2014/11/06 12:0 a.m.26 views

Oracle Weblogic Application Server – Authorization bypass

Application: Oracle Weblogic Application Server Versions Affected: WebLogic Server 10.3.6.0/10.3.1.0, maybe others Vendor URL: http://www.oracle.com Bugs: Authorization bypass Exploits: YES Reported: 11.06.2014 Vendor response: 12.06.2014 Date of Public Advisory: 17.10.2014 Reference: Oracle CPU...

0.6AI score
Exploits0
myhack58
myhack58
added 2014/10/16 12:0 a.m.14 views

SSL v3 Poodle security vulnerability fix recommendations-vulnerability warning-the black bar safety net

! The use of SSL to protect your website traffic far more than is on the server install an SSL certificate. Era in constant development,with the browser of aging, password strength reduction as well as attackers become more creative, the situation has undergone subtle changes. For early...

0.4AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2014/10/10 12:0 a.m.60 views

F5 Networks BIG-IP : SSH vulnerability (K13600)

A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using secure shell SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect. The following platforms a...

5.6AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 2014/08/27 2:22 p.m.5 views

rubygem-activerecord: Strong Parameter bypass with create_with

It was discovered that Active Record's createwith method failed to properly check attributes passed to it. A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record calle...

7.5CVSS5.9AI score0.02797EPSS
Exploits0References4
NVD
NVD
added 2014/08/20 11:17 a.m.31 views

CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

7.5CVSS6.5AI score0.02797EPSS
Exploits0References4
OSV
OSV
added 2014/08/20 11:17 a.m.6 views

CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

6.4AI score
Exploits0References4
OSV
OSV
added 2014/08/20 11:17 a.m.3 views

DEBIAN-CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

7.5CVSS7AI score0.02797EPSS
Exploits0References1
Prion
Prion
added 2014/08/20 11:17 a.m.21 views

Design/Logic Flaw

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

7.5CVSS7.1AI score0.02797EPSS
Exploits0References4Affected Software1
UbuntuCve
UbuntuCve
added 2014/08/20 11:17 a.m.25 views

CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

7.5CVSS5.9AI score0.02797EPSS
Exploits0References3
Cvelist
Cvelist
added 2014/08/20 10:0 a.m.25 views

CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

6.4AI score0.02797EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2014/08/20 10:0 a.m.82 views

CVE-2014-3514

activerecord/lib/activerecord/relation/querymethods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes createwith calls...

7.5CVSS6.4AI score0.02797EPSS
Exploits0
CVE
CVE
added 2014/08/20 10:0 a.m.102 views

CVE-2014-3514

The CVE-2014-3514 entry concerns ActiveRecord in Ruby on Rails (Rails 4.0.x prior to 4.0.9 and 4.1.x prior to 4.1.5). The underlying issue is a bypass of strong parameters protection via crafted input to create_with calls, enabling remote attackers to bypass parameter filtering. Documented refere...

7.5CVSS6.5AI score0.02797EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2014/08/20 12:0 a.m.38 views

Strong Parameter bypass with create_with

The createwith functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection...

7.5CVSS6.3AI score0.02797EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2014/08/18 12:0 a.m.23 views

Data Injection Vulnerability in Active Record

The createwith functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to createwith could allow attackers to set arbitrary attributes on models...

7.5CVSS6.9AI score0.02797EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder