Page 19 of 293 results (0.022 seconds)

CVSS: 7.8EPSS: 18%CPEs: 44EXPL: 0

13 Aug 2019 — Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de configuraciones, lo... • • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.8EPSS: 91%CPEs: 55EXPL: 0

13 Aug 2019 — Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Algunas implementaciones de HTTP / 2 son vulnerables a una inundación de reinicio, lo que puede conducir a una denegación de servicio. El atacante abre una... • • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 9.1EPSS: 1%CPEs: 81EXPL: 2

25 Jul 2019 — Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. Las versiones de lodash inferiores a 4.17.12, son vulnerables a la Contaminación de Prototipo. La función defaultsDeep podría ser engañada para agregar o modificar las propiedades de Object.prototype usando una carga útil de constructor. A Prototype Pollution vulnerability was found in lodash. • • CWE-20: Improper Input Validation CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

CVSS: 5.3EPSS: 0%CPEs: 78EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, 11.6.1-, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2. En BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, 11.6.1- y 11.5.1-11.5 .8, SNMP expone objetos de configuración sensibles sobre canales de transmisión no seguros. Este problema ... • • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 6.5EPSS: 0%CPEs: 52EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role. En BIG-IP versiones 14.1.0-, 14.0.0-, 13.0.0-, y 12.1.0-12.1.4 un gran volumen de solicitudes de informes de análisis mal formados conduce a la inestabilidad en el proceso de restjavad.... • •

CVSS: 4.4EPSS: 0%CPEs: 78EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, 11.6.1-, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions. En BIG-IP versiones 4.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, 11.6.1-, y 11.5.1-11.5.8, cuando el sistema BIG-IP tiene licencia para el modo Appliance, un usuario con los roles de administrador o admini... • •

CVSS: 5.5EPSS: 0%CPEs: 52EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files. En BIG-IP versiones 14.1.0-, 14.0.0-, 13.0.0-, y 12.1.0-12.1.4, en determinadas circunstancias, los atacantes pueden descifrar los elementos de confi... • • CWE-330: Use of Insufficiently Random Values •

CVSS: 4.4EPSS: 0%CPEs: 78EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions. En BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-, y 11.5.1-11.6.4, cuando el BIG-IP El sistema tiene licencia con el modo de dispositivo, las cuentas de usuario con roles de administrador y administrador de recursos pueden om... • •

CVSS: 6.1EPSS: 0%CPEs: 65EXPL: 0

03 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. En BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, 12.1.0-12.1.4, y 11.5.1-11.6.4, un Cross-Site reflejado Existe una vulnerabilidad de scripting (XSS) en una página no revelada de la Interfaz de usuario de gestión de trá... • • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 52EXPL: 0

02 Jul 2019 — On BIG-IP 14.1.0-, 14.0.0-, 13.0.0-, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS). En BIG-IP versiones 14.1.0-, 14.0.0-, 13.0.0- y 12.1.0-12.1.4, el tráfico no revelado enviado hacia el servidor virtual iSession de BIG-IP puede causar el Microkernel de Gestión de Trafico (TMM) se reinicie, lo que resulta en una denegación de se... • •