116 matches found
Subresource Integrity Bypass
webpack-subresource-integrity is vulnerable to subresource integrity bypass. Dynamically injected tags use undefined and the integrity check can be bypassed, potentially resulting in cross-site scripting attacks...
CVE-2020-15262
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-lev...
CVE-2020-15262
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-lev...
Input validation
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-lev...
CVE-2020-15262 Invalid integrity hashes in webpack-subresource-integrity
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-lev...
CVE-2020-15262
Summary : CVE-2020-15262 affects webpack-subresource-integrity prior to 1.5.1. All dynamically loaded chunks receive an invalid integrity hash, which the browser ignores, removing the extra protection from SRI. Top-level chunks are unaffected. Impact (as stated) : The browser cannot validate inte...
@aldendaniels/react-scripts (=0.8.3), @amc-technology/ui-library (=1.0.10) +186 more potentially affected by CVE-2020-15262 via webpack-subresource-integrity (>=0.7.0 <=1.5.0)
webpack-subresource-integrity NPM version =0.7.0, =1.2.3, =9.0.0, =0.8.8, =0.0.1-SNAPSHOT, =0.0.1-alpha.1, =1.2.2, =0.1.8, =0.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =10.0.0 and more Source cves: CVE-2020-15262 Source advisory: OSV:GHSA-4FC4-CHG7-H8GH...
GHSA-4FC4-CHG7-H8GH Unprotected dynamically loaded chunks
Impact All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. Patches This issue is...
Unprotected dynamically loaded chunks
Impact All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected. Patches This issue is...
Invalid Subresource Integrity
Subresource Integrity SRI is a web security standard that enables browsers to verify that resources hosted by third parties CDN for example are delivered without unexpected manipulation. SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag like scrip...
Missing Subresource Integrity
Subresource Integrity SRI is a web security standard that enables browsers to verify that resources hosted by third parties CDN for example are delivered without unexpected manipulation. SRI works by comparing a cryptographic hash declared in the integrity attribute of the resource tag like scrip...
U.K. and U.S. Government Websites Among Thousands Infected by Cryptocurrency Miner
More than 4,200 websites, including many run the U.K. and U.S. governments, were infected on Feb. 11 by a Monero cryptocurrency miner delivered through Browsealoud, a hosted accessibility service that can read website content aloud for people with visual impairments. Browsealoud developer Texthel...
Majority of Sites Fail Mozilla's Comprehensive Security Review
A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking. The failing grades come from a comprehensive analysis published this week by t...
The vulnerability of Google Chrome’s browser allows a violator to bypass mechanisms designed to protect the integrity of subresources.
The vulnerability of the PendingScript::notifyFinished function in Google Chrome’s WebKit/Source/core/dom/PendingScript.cpp is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to bypass Subresource Integrity SRI protection mechanisms by...
Ubuntu 14.04 LTS : Oxide vulnerabilities (USN-2920-1)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2920-1 advisory. It was discovered that the ContainerNode::parserRemoveChild function in Blink mishandled widget updates in some circumstances. If a user were tricked in ...
Ubuntu: Security Advisory (USN-2920-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
USN-2920-1 oxide-qt vulnerabilities
It was discovered that the ContainerNode::parserRemoveChild function in Blink mishandled widget updates in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. CVE-2016-1630 It was...
Google Chrome Security Bypass Vulnerability (CNVD-2016-01515)
Google Chrome is a web browser developed by the American company Google Google. A security vulnerability exists in the 'PendingScript::notifyFinished' function in the WebKit/Source/core/dom/PendingScript.cpp file in Google Chrome versions prior to 49.0.2623.75. A security vulnerability exists...
chromium-browser: SRI Validation Bypass
The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity...
Debian DSA-3507-1 : chromium-browser - security update
Several vulnerabilities have been discovered in the chromium web browser. - CVE-2015-8126 Joerg Bornemann discovered multiple buffer overflow issues in the libpng library. - CVE-2016-1630 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in Blink/Webkit. - CVE-2016-1631 Mariusz...