Lucene search
K

5372 matches found

GitLab Advisory Database
GitLab Advisory Database
added 2022/02/12 12:0 a.m.29 views

TLS certificate validation error

In mellium.im/xmpp, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

5.9CVSS2.8AI score0.00619EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/02/11 10:15 p.m.10 views

CVE-2022-24968

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

5.9CVSS5.8AI score0.00619EPSS
Exploits0References3
NVD
NVD
added 2022/02/11 10:15 p.m.35 views

CVE-2022-24968

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

5.9CVSS0.00619EPSS
Exploits0References2
OSV
OSV
added 2022/02/11 10:15 p.m.27 views

CVE-2022-24968

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

5.9CVSS5.6AI score0.00619EPSS
Exploits0References2
Prion
Prion
added 2022/02/11 10:15 p.m.30 views

Design/Logic Flaw

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

4.3CVSS5.4AI score0.00619EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2022/02/11 6:16 p.m.157 views

CVE-2022-24968

The vulnerability affects Mellium mellium.im/xmpp up to version 0.21.0, where spoofing DNS TXT records can redirect a WebSocket connection to an attacker‑controlled server without TLS host verification failing due to incorrect ServerName selection during TLS verification. This can enable MITM red...

5.9CVSS5.3AI score0.00619EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2022/02/11 12:0 a.m.3 views

PT-2022-17018 · Mellium · Mellium

Name of the Vulnerable Software and Affected Versions: Mellium mellium.im/xmpp versions 0.21.0 and earlier Description: An attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail...

5.9CVSS5.2AI score0.00619EPSS
Exploits0References20
CNNVD
CNNVD
added 2022/02/11 12:0 a.m.4 views

Mellium 安全漏洞

Mellium is a feature that provides functionality from the Extensible Messaging and Presence Protocol. Mellium suffers from a security vulnerability that could be exploited by an attacker to redirect WebSocket connection requests to a server under their control without causing TLS certificate...

5.9CVSS5.6AI score0.00619EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2022/02/09 12:0 a.m.31 views

AlmaLinux 8 : libvncserver (ALSA-2020:3385)

The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2020:3385 advisory. - It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by...

9.8CVSS8.7AI score0.02259EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2022/02/08 10:5 p.m.107 views

Infinite Loop in Apache Tomcat

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of...

7.5CVSS1.9AI score0.87553EPSS
Exploits1References28Affected Software3
OSV
OSV
added 2022/02/08 10:5 p.m.0 views

GHSA-M7JV-HQ7H-MQ7C Infinite Loop in Apache Tomcat

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of...

7.5CVSS6.8AI score0.87553EPSS
Exploits1References28
OSV
OSV
added 2022/02/04 4:38 p.m.4 views

USN-5258-1 weechat vulnerabilities

Stuart Nevans Locke discovered that WeeChat's relay plugin insecurely handled malformed websocket frames. A remote attacker in control of a server could possibly use this issue to cause denial of service in a client. CVE-2021-40516 Stuart Nevans Locke discovered that WeeChat insecurely handled...

9.8CVSS7.2AI score0.03684EPSS
Exploits1References6
OpenVAS
OpenVAS
added 2022/01/28 12:0 a.m.29 views

Mageia: Security Advisory (MGASA-2019-0213)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

9.8CVSS8.2AI score0.20271EPSS
Exploits4References7
OpenVAS
OpenVAS
added 2022/01/28 12:0 a.m.17 views

Mageia: Security Advisory (MGASA-2013-0168)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.8CVSS6.4AI score0.03365EPSS
Exploits5References14
OpenVAS
OpenVAS
added 2022/01/28 12:0 a.m.21 views

Mageia: Security Advisory (MGASA-2015-0010)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

5CVSS6.5AI score0.09525EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2022/01/27 9:15 p.m.13 views

CVE-2021-46498

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsiwswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service DoS...

5.5CVSS5.9AI score0.00638EPSS
Exploits1References2
CNVD
CNVD
added 2022/01/24 12:0 a.m.21 views

Unspecified Vulnerability in Mitsubishi Electric MC Works64

Mitsubishi Electric MC Works64 is a data acquisition and monitoring system SCADA from Mitsubishi Electric Japan. A security vulnerability exists in the Mitsubishi Electric MC Works64 that originates in ICONICS and the Mitsubishi Electric ICONICS product suite, where the FrameWorX server in the...

9.8CVSS9.5AI score0.02884EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/01/21 7:15 p.m.5 views

CVE-2022-23128

Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A 10.95.201.23 to 4.04E 10.95.210.01, ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI...

9.8CVSS7.3AI score0.02884EPSS
Exploits0References4
OSV
OSV
added 2022/01/21 7:15 p.m.4 views

CVE-2022-23128

Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A 10.95.201.23 to 4.04E 10.95.210.01, ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI...

9.8CVSS7.4AI score0.02884EPSS
Exploits0References3
Cvelist
Cvelist
added 2022/01/21 6:17 p.m.29 views

CVE-2022-23128

Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A 10.95.201.23 to 4.04E 10.95.210.01, ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI...

9.8AI score0.02884EPSS
Exploits0References3
Rows per page
Query Builder