The code that initializes the DNS client interface structure does not set sufficiently random transaction IDs (they are always set to 1 in _fnet_dns_poll in fnet_dns.c). Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.Īn issue was discovered in FNET through 4.6.4. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check. Due to the usage of an insecure random number generation function and a deprecated cryptographic function, an attacker could extract the key that is used when communicating with an affected device on port 8080/tcp.Įtherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: ' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.Ī vulnerability has been identified in LOGO! 8 BM (incl. Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.Īn issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time). NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta. Fixes will are available starting with the 3.1.9 and 3.2.6 minor releases. All users of `ds_is_in_list()` without the `$si` variable as 1st parameter could be affected by this vulnerability to a larger, lesser or no extent at all, depending if the data passed to the function is a valid IPv4 or IPv6 address string or not. Prior to versions 3.1.9 and 3.2.6, if `ds_is_in_list()` is used with an invalid IP address string (`NULL` is illegal input), OpenSIPS will attempt to print a string from a random address (stack garbage), which could lead to a crash. OpenSIPS is a Session Initiation Protocol (SIP) server implementation. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. Nextcloud server is an open source home cloud implementation.
0 Comments
Leave a Reply. |