The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL. This Metasploit module has been tested successfully on Ubuntu 12.04 (64-bit) with the default OpenSSL 1.0.1c package.
5871459b613b45d42f0cb13e4a97c4441fd3ed0c424828a3919d63334c1585b7Apache MyFaces versions 2.2.13 and below, 2.3.7 and below, 2.3-next-M4 and below, and 2.1 and below suffer from a cross site request forgery vulnerability.
9496fb42b8d7b245393af79c43e00c9737bf7e2ce2f045cabe480e1ebae73876Trend Micro InterScan Web Security Virtual Appliance (IWSVA) versions below 6.5 SP2 EN Patch 4 Build 1919 suffers from bypass, command execution, cross site request forgery, cross site scripting, and server-side request forgery vulnerabilities.
54396ecfd1b66aed9f010f421531333fb6ee5cf355c17da0019935bb3b4af762Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) versions prior to 9.1.0 Critical Patch Build 2025 suffer from XML injection, over-privileged access, cross site request forgery, file disclosure, server-side request forgery, information leakage, and various other vulnerabilities.
c7d236bdf962dfa9de93321b3fab630caa7f7676cb4839021d3b0a10b7122b7beIDAS-Node versions 2.3 and below suffer from an authentication bypass vulnerability.
abcaa58e91fe819fa9249825cfac8238f70910ce571dbd8fc6495d4a244f7d5eOpenPGP.js versions 4.2.0 suffer from invalid curve attack, message signature bypass, and information trust vulnerabilities.
0a9d2e92a3d6a166b6fe0aec192bf81aef0d99ec80673eae0c779bd7f3ebc97cOSCI-Transport Library 1.2 for German e-Government versions 1.8.1 and below suffer from an insecure cryptographic implementation and signature bypass vulnerabilities.
8a86e1c888e889e80fd729c0b736244eff54c47bdb299aa960e521037448b570Kerio Control VPN Protocol versions 9.2.7 and below have an issue where the cryptographic protocol employed exhibits severe design issues.
d1ff2228600cdc41f9fafb6da994e535fdaaaeb884e11bd2dcc0f93c0c6265d2Governikus Autent SDK versions 3.8.1 and below suffer from a signature bypass vulnerability. This vulnerability could allow an attacker to impersonate any German citizen on a vulnerable web application.
bc598f9668599f1a40ae05cb09cf65c1e231a9837407f48b0b4f2818d6cc5f45Citrix StorageZones Controller versions prior to 5.4.2 suffer from padding oracle, improper access restriction, and path traversal vulnerabilities.
ae39dfe4bfaaa26cd2361836889bfa69e570b2f0a6679a9b71736478c8294df6Oracle Access Manager versions 11.1.2.3.0 and 12.2.1.3.0 suffer from an authentication bypass vulnerability.
3ff8e4e5227e1b994da2325be7ed9d86085196020a85edbd2fa518450b3a1236SecurEnvoy SecurMail version 9.1.501 suffers from cross site request forgery, cross site scripting, insecure direct object reference, missing authentication and authorization, and path traversal vulnerabilities.
368d7ef3e94a6aa7cbbc75ae1e4f895612f63f355dabd25558996ca782b735f6Micro Focus VisiBroker C++ version 8.5 SP2 suffers from multiple memory corruption vulnerabilities.
20d06be514a3c5e7552eac8487a7e2ef90f88d1a1ad22ca6b61679bef1d32ed1OSCI-Transport library version 1.2 for German e-Government suffers from padding oracle, signature wrapping, and XML external entity injection vulnerabilities.
e836d90008122100e3bb9c8d79986aeef8cdb8cc46a5f5f505ce7a6396d60f8eGuidance Software EnCase Forensic Imager versions 7.10 and below suffer from a stack-based buffer overflow vulnerability.
dde2e54320f7ae0c6125565d33c61a502a0e8d4158b92889665a3941c021109bEnCase Forensic Imager versions 7.10 and below suffer from denial of service and heap-based buffer overflow vulnerabilities.
7843ed94a73178cbbad1a3abd757df71b39cbeea28ef32b9271d33b5a8956fe1Micro Focus GroupWise version 2014 R2 SP1 and below suffer from buffer overflow, cross site scripting, and integer overflow vulnerabilities.
259e1178ca32777e61016eaf9c26499e22db2bed9b9f9028eb31c3fc116900c6Multiple Micro Focus Filr appliances suffer from cross site request forgery, cross site scripting, command injection, insecure design, missing cookie flag, authentication bypass, poor permission, and path traversal vulnerabilities.
75683bf10479970e059d4148415a4d6ba28a3aaad459288029dd624f6ebfab5dWSO2 Identity Server version 5.0.0 suffers from XML external entity injection, cross site request forgery, and cross site scripting vulnerabilities.
b23a062266269d325f887cf960d7eb910446d8f0167a0b3dbb117e633cc72a23Kodi/XBMC versions 14 and below suffer from a cross site request forgery vulnerability.
cecacfa36504e9b71f724b2954aff24637057840d82bcf91a6137809b422a665NetIQ eDirectory NDS iMonitor versions 8.8 SP8 and 8.8 SP7 suffer from a cross site scripting vulnerability.
42f12d914fa5417e9b3009fd6a0222ff5662fe88ac1c59cf41efc6d5318502e6NetIQ Access Manager version 4.0 SP1 suffers from cross site request forgery, external entity injection, information disclosure, and cross site scripting vulnerabilities.
320f0bd45b1d76c447e2f9652fd8ee7c2db0f94b4c3c1ff00b05f978a6cc03b0G-Parted versions 0.14.1 and below suffer from a root privilege escalation command execution vulnerability.
22d59ee6ab3ecbc032151958235d46b8b87c383d2fc085ccae3a73125bc45eb5ADF Faces version 12.1.2.0 suffers from a cross site scripting vulnerability.
1133f9915da8a3cc4eb0ab104e7646e7507625c906b4f85e176f18b9f5a8961cRhythm Software File Manager version 1.16.6 and Rhythm Software File Manager HD version 1.11.5 suffer from local file disclosure, privilege escalation, and unauthenticated remote command injection vulnerabilities.
d2c9981bbbf77d707cbae26f950c18a38e350aeb4c84dd1f06e79d90a6679677
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed