mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.
References
https://nvd.nist.gov/vuln/det…
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order…
Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is not properly sanitized before rendering in the textarea component.
References
https://nvd.nist.gov/vuln…
Impact
An attacker can send an invalid Content-Type header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected.
(This was updated: upon a close inspection, v3.x is not affected after a…
Impact
There is a potential vulnerability in Traefik managing HTTP/2 connections.
A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Patches
Trae…
Impact
Debug logs expose sensitive URLs for Slack webhooks that contain private information.
Patches
The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.
Workarounds
Disabling/filtering debug logs in case you use Slack webhooks usi…
Impact
What kind of vulnerability is it? Who is impacted?
The default cookie name (and documentation recommendation) was prefixed with Host__ instead of __Host-. The point of this prefix is for additional security, to ensure that, when no domain option…
A lack of user input validation leads to an open redirect vulnerability in rdiffweb prior to 2.5.0a4.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3438
https://github.com/ikus060/rdiffweb/commit/4d464b467f14b8eb9103d7f5f0774e49995527c7
https:/…
Impact
Weak encryption on CSRF so tokens can be read by malicious attackers.
Patches
Problems have been patched as of v1.1.0
Workarounds
Upgrade to v1.1.0
References
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_…
Impact
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.
This vulnerability has been assigned the CVE identifier: CVE-2022-39281
Affected versions: All
Not affected: None
Fixed versions: 0.20.1
All users running …
