Stay updated with breaking news from Patrick hof. Get real-time updates on events, politics, business, and more. Visit us for reliable news and exclusive interviews.
Advisory: Session Token Enumeration in RWS WorldServerSession tokens in RWS WorldServer have a low entropy and can beenumerated, leading to unauthorised access to user sessions.Details=======Product: WorldServerAffected Versions: 11.7.3 and earlier versionsFixed Version: 11.8.0Vulnerability Type: Session Token EnumerationSecurity Risk: highVendor URL: https://www.rws.com/localization/products/additional-solutions/Vendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001Advisory Status: publishedCVE: CVE-2023-38357CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357Introduction============"WorldServer offers a flexible, ....
Advisory: STARFACE: Authentication with Password Hash PossibleRedTeam Pentesting discovered that the web interface of STARFACE as wellas its REST API allows authentication using the SHA512 hash of thepassword instead of the cleartext password. While storing passwordhashes instead of cleartext passwords in an application's databasegenerally has become best practice to protect users' passwords in caseof a ....
Advisory: Pydio Cells: Cross-Site Scripting via File DownloadPydio Cells implements the download of files using presigned URLs whichare generated using the Amazon AWS SDK for JavaScript [1]. The secretsused to sign these URLs are hardcoded and exposed through the JavaScriptfiles of the web application. Therefore, it is possible to generatevalid signatures for arbitrary download URLs. ....
Advisory: Pydio Cells: Unauthorised Role AssignmentsPydio Cells allows users by default to create so-called external usersin order to share files with them. By modifying the HTTP request sentwhen creating such an external user, it is possible to assign the newuser arbitrary roles. By assigning all roles to a newly created user, access toall cells and ....