Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Caddy Security Vulnerabilities

cve
cve

CVE-2017-5963

An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulnerability exists due to insufficient filtration of user-supplied data in the "paymillToken" HTTP POST parameter passed to the "caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php" URL. An attacker could execute ...

6.1CVSS

6.4AI Score

0.001EPSS

2017-02-12 04:59 AM
28
In Wild
2
cve
cve

CVE-2018-19148

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configurati...

3.7CVSS

4AI Score

0.001EPSS

2018-11-10 07:29 PM
24
cve
cve

CVE-2018-21246

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

9.8CVSS

9.6AI Score

0.003EPSS

2020-06-15 05:15 PM
58
cve
cve

CVE-2022-28923

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

6.1CVSS

6.1AI Score

0.003EPSS

2023-02-06 11:15 PM
55
cve
cve

CVE-2022-29718

Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

6.1CVSS

6.1AI Score

0.001EPSS

2022-06-02 09:15 PM
48
7
cve
cve

CVE-2022-34037

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrat...

7.5CVSS

7.2AI Score

0.001EPSS

2022-07-22 03:15 PM
77
3
cve
cve

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS

8AI Score

0.732EPSS

2023-10-10 02:15 PM
2913
In Wild
cve
cve

CVE-2023-49854

Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy – Smart Side Cart for WooCommerce.This issue affects Caddy – Smart Side Cart for WooCommerce: from n/a through 1.9.7.

8.8CVSS

8.7AI Score

0.001EPSS

2023-12-18 11:15 AM
16
cve
cve

CVE-2023-50463

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restri...

6.5CVSS

6.3AI Score

0.001EPSS

2023-12-10 11:15 PM
11