Résumé
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
Références
Vulnérabilités liées
Tout Supply chain →- HIGHGHSA-RPJ7-HR7H-W6P9
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate
- HIGHGHSA-X92V-RPX6-P6CW
PraisonAI: Webhook signature verification skipped (fail-open) when secret unset, allowing forged inbound webhooks (WhatsApp & Linear bots)
- HIGHGHSA-H5X8-XP6M-X6Q4
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing
- MEDIUMGHSA-C7JM-38GQ-H67H
http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments
- HIGHGHSA-M4W9-HJFW-VWJ4
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
- CRITICALGHSA-WFQX-GJRF-G28R
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag