Improper access control

VMware VMware Fusion 11.x before 11.0.3 contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware...

CVE-2019-5514

CVE-2019-5514 is a VMware Fusion vulnerability where unauthenticated APIs accessible through a web socket can be abused to trick the host user into running JavaScript on the guest via VMware Tools, potentially enabling commands on the guest. Affected product: VMware Fusion 11.x prior to 11.0.3. M...

CVE-2019-5514

VMware VMware Fusion 11.x before 11.0.3 contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware...

VMWare Fusion APIs available without auth via web socket (CVE-2019-5514)

VMware Fusion 11.x before 11.0.3 contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is...

CVE-2018-0278

A vulnerability in the management console of Cisco Firepower System Software could allow an unauthenticated, remote attacker to access sensitive data about the system. The vulnerability is due to improper cross-origin domain protections for the WebSocket protocol. An attacker could exploit this...

Legal Robot: cross site web socket hijacking

In the below web-socket request successful 101 protocol handshake is working with the origin:https://app.legalrobot.com, but if you place the malicious origin in the place of https://thisdata.com which is http://evil.com or any page containing the malware, the web socket server is still giving 10...

Legal Robot: Lengthy manual entry of 2FA secret

Hello @team, I would like to report on some issue where users are going to face while 2FA authentication.We can see that users need to enter 52 bit code manually for 2FA authentication,which is taking a lot of time and it will be difficult for the user to enter the total 52 bits in the google...

Legal Robot: Issues with Forgot password Error Handling

Hello @team, I found a similar issue to 249695.Where user when giving an error email id it is not showing any error response.This is not of high impact but this might throw the users in confusing state as there is no error message user will be waiting for the server response. Steps to reproduce:...

Mozilla: Integer overflow and memory corruption in WebSocketChannel (MFSA 2016-75, MFSA 2016-86)

Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 and Firefox ESR 45.4 allows remote attackers to execute arbitrary code or cause a denial of service memory corruption via crafted packets that trigger incorrect buffer-resize operations durin...

[SECURITY] Fedora 23 Update: nodejs-ws-1.1.1-1.fc23

Simple to use, blazing fast and thoroughly tested web socket client, server and console for nodejs, up-to-date against RFC-6455...

Slack: Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs

Hi, I noticed while looking at an old article I made a while ago that some links were actually inserted as javascript:-links. Doing some modifications to these actually revealed that inside editing mode, no protection is added for getting arbitrary scripts to run. This means that by catching the...

Trello: If a team is public, the web socket receives data about the Team visible boards

When viewing a public team, users are allowed to connect to an update channel that notifies them of changes made to the team. When a "team visible" not public board was added or removed from a public team, an update with the name of the team would be sent to all subscribers, potentially including...

[SECURITY] Fedora 22 Update: nodejs-ws-1.0.1-1.fc22

Simple to use, blazing fast and thoroughly tested web socket client, server and console for nodejs, up-to-date against RFC-6455...

[SECURITY] Fedora 23 Update: nodejs-ws-1.0.1-1.fc23

Simple to use, blazing fast and thoroughly tested web socket client, server and console for nodejs, up-to-date against RFC-6455...

KeyBox - A web-based SSH console that centrally manages administrative access to systems

KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. Administrators can login...

Debian Security Advisory DSA 3259-1 (qemu - security update)

Several vulnerabilities were discovered in the qemu virtualisation solution: CVE-2014-9718 It was discovered that the IDE controller emulation is susceptible to denial of service. CVE-2015-1779 Daniel P. Berrange discovered a denial of service vulnerability in the VNC web socket decoder...

Debian DSA-3259-1 : qemu - security update (Venom)

Several vulnerabilities were discovered in the qemu virtualisation solution : - CVE-2014-9718 It was discovered that the IDE controller emulation is susceptible to denial of service. - CVE-2015-1779 Daniel P. Berrange discovered a denial of service vulnerability in the VNC web socket decoder. -...

Google Chrome < 36.0.1985.143 Multiple Vulnerabilities

Binary data 8356.pasl...