826 matches found
[SECURITY] [DSA 4247-1] ruby-rack-protection security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4247-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 16, 2018 https://www.debian.org/security/faq -...
Debian: Security Advisory (DSA-4247-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2018-1262
The CVE-2018-1262 issue affects Cloud Foundry Foundation UAA (versions 4.12.x and 4.13.x). The root cause is a feature that allowed privilege escalation across identity zones when offline token validation is performed, enabling a zone administrator to configure tokens impersonating another zone a...
OctoberCMS Cross-Site Request Forgery Vulnerability
OctoberCMS is an open source, self-hosted content management system CMS built on the Laravel PHP framework developed by Canadian software developer Alexey Bobkov and Australian software developer Samuel Georges. A cross-site request forgery vulnerability exists in OctoberCMS version 1.0.426 a.k.a...
WakaTime: password token validation
Hello, when I reset password all tokens are valid can be used, should keep valid only token in the last request or you can invalidate all reset links after using one of the requests successfully. Steps: 1 go to the password reset page and request more than one request. 2 go to your email and use...
Paragon Initiative Enterprises: CSRF token does not valided during blog comment
SUMMURY ================= i tested that all post request has CSRF token. During Author profile creation also a CSRF token is posted. Now when i removed this CSRF token , show s error like bellow CSRF validation failed 0 /var/www/csprng/src/Cabin/Bridge/Controller/Author.php52:...
Cross-Site Request Forgery(CSRF)
drupal/core is vulnerable to cross-site request forgery CSRF attacks. The library does not carry out form token validation early enough, allowing attackers to run the file upload value callbacks with untrusted input...
SimpleSAMLphp Invalid Token Creation and Validation Vulnerability
SimpleSAMLphp is a set of PHP authentication applications that implement the SAML 2.0 service provider and identity provider functionality . A security vulnerability exists in SimpleSAMLphp 1.14.14 and earlier versions of SimpleSAMLAuthTimeLimitedToken. An attacker can exploit the vulnerability t...
WakaTime: Password token validation in https://wakatime.com/
Hi team, I noticed that when requesting multiple reset links at https://wakatime.com/resetpassword/ all tokens are valid and can be used. In numerous applications the following policy is adopted as an additional security measure: keep valid only that token with shorter lifetime last requested or...
Weblate: Password token validation in Weblate Bypass
Hi, This is a bypass of the fix on 229987. I could confirm that old link still works. Though you would need to use 2 browsers to pull this off Reproduction Steps 1. In Browser1, request a password reset - Load link sent to your email in the same browser - Request another password reset in Browser...
CSRF Vulnerability in Cicada CMS 6.2
Cicada Knowledge Enterprise Portal System is an open source and free enterprise portal system. CSRF vulnerability exists in Cicada Knowledge cms version 6.2. The vulnerability stems from the lack of token validation on the background page of Cicada Knowledge cms, which leads to the triggering of...
Cross-site scripting and cross-site request forgery vulnerabilities in metinfo
metinfo cms is an enterprise website management system with PHP Mysql architecture. There are cross-site scripting and cross-site request forgery vulnerabilities in metinfo. metinfocms "background settings-basic information-third-party code" form does not have token validation and effective...
Nextcloud: CSRF token validation is missing
Greetings, Hello Security Team, Summary I know this is a medium risk issue but i want you guys to be aware of it that the CSRF token validation is missing at the time of login on https://portal.nextcloud.com/login.php login page. PoC Code: Email Password Login Now Forgot Password? var tabs = '';...
CSRF Cross-site Request Forgery Vulnerability at Add Administrator of Rice Shell Enterprise Website Builder 2016 Official Version
Rice Shell Enterprise Building System is an enterprise building and content management system. CSRF cross-site request forgery vulnerability exists in Rice Shell Enterprise Website Builder System 2016 Official VersionAdd Administrator. As the packet of the add administrator operation is not token...
YXcmsApp V1.4.3 'uninstall()' Function Has Cross-Site Request Forgery Vulnerability
Yxcms is an enterprise building system based on PHP and mysql technology. A cross-site request forgery vulnerability exists in the YXcmsApp V1.4.3 'uninstall' function. Due to the lack of HTTP Referer or token validation, an attacker can exploit the vulnerability to uninstall the system's...
CSRF vulnerability in icms backend
iCMS is an efficient content management system for small and medium-sized websites. A csrf vulnerability exists in the latest version of iCMS. Because the token is not validated in the /app/admincp/account.app.php dosave operation, an attacker can modify the administrator account password by...
CVE-2016-4430
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...
Cross site request forgery (csrf)
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...
Apache Struts2 Remote Code Execution Vulnerability (CNVD-2016-04092)
Apache Struts is the United States Apache Apache Software Foundation is responsible for maintaining an open source project , is a set of open source MVC framework for creating enterprise-class Java Web applications , mainly provides two versions of the framework products , Struts 1 and Struts 2...
New Relic: A Log in page does not properly validate the authenticity token at the server side
Description: POST /login?returnto=%2Foauthprovider%2Fauthorize%3Fresponsetype%3Dcode%26clientid%3D%252BvB2dkv4yOb37C00ACk%252B6A%253D%253D%26redirecturi%3Dhttps%253A%252F%252Frpm.newrelic.com%252Fauth%252Fnewrelic%252Fcallback%26state%3D2ea541fcd18aa27925ad8977848536106cbaf1bbb4611f90 HTTP/1.1...