The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sen…
[openssl-src] Resource leakage when decoding certificates and keys
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically deco…
[Masuit.Tools.Core] Code Injection in Masuit.Tools.Core
All versions of package Masuit.Tools.Core are vulnerable to Arbitrary Code Execution via the ReceiveVarData function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable input after it has…
[org.apache.tomcat:tomcat] Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server’s hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the real…
[feedparser] Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in feedparser
Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0 allows remote attackers to inject arbitrary web script or HTML via vectors involving nested CDATA stanzas.
References
h…
[pyftpdlib] Uncontrolled Resource Consumption in pyftpdlib
Memory leak in the on_dtp_close function in ftpserver.py in pyftpdlib before 0.5.2 allows remote authenticated users to cause a denial of service (memory consumption) by sending a QUIT command during a data transfer.
References
https://nvd.nist.gov/vu…
[pyftpdlib] Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the getpeername function hav…
[pyftpdlib] Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having a…
[pyftpdlib] Improper Access Control in pyftpdlib
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
References
https://nvd.nist.g…
[org.mortbay.jetty:jetty] Improper input validation in Mort Bay Jetty
Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window’s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request…