There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small …
There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small …
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method ‘private_key_jwt’ [1], OpenId specification says the following about assertion `jti`: “A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, …
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method ‘private_key_jwt’ [1], OpenId specification says the following about assertion `jti`: “A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, …
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method ‘private_key_jwt’ [1], OpenId specification says the following about assertion `jti`: “A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, …
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method ‘private_key_jwt’ [1], OpenId specification says the following about assertion `jti`: “A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, …
We’ve been seeing quite some malicious Excel files with Excel 4 macros lately. A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm). Password protected .xls files are not completely encrypted. Simply put: it’s the data of the BIFF records that is encrypted, …
Read more “Password Protected Malicious Excel Files, (Mon, Apr 6th)”
We’ve been seeing quite some malicious Excel files with Excel 4 macros lately. A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm). Password protected .xls files are not completely encrypted. Simply put: it’s the data of the BIFF records that is encrypted, …
Read more “Password Protected Malicious Excel Files, (Mon, Apr 6th)”
We’ve been seeing quite some malicious Excel files with Excel 4 macros lately. A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm). Password protected .xls files are not completely encrypted. Simply put: it’s the data of the BIFF records that is encrypted, …
Read more “Password Protected Malicious Excel Files, (Mon, Apr 6th)”
We’ve been seeing quite some malicious Excel files with Excel 4 macros lately. A variant we are observing now, is password protected Excel 4 maldocs, using the binary file format .xls (and not OOXML, .xlsm). Password protected .xls files are not completely encrypted. Simply put: it’s the data of the BIFF records that is encrypted, …
Read more “Password Protected Malicious Excel Files, (Mon, Apr 6th)”