Security Bulletin: IBM Datapower Operations Dashboard could allow a remote attacker to bypass security restrictions CVE-2024-38473

Summary Apache HTTP Server is used by the IBM Datapower Operations Dashboard implementation of network operations Vulnerability Details CVEID:CVE-2024-38473 DESCRIPTION: Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by an encoding flaw in modproxy. By...

CVE-2024-48866

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

The vulnerability of the modules/proxy/mod_proxy.c component of the Apache HTTP Server, related to a lack of mechanisms for encoding or shielding output data, allows attackers to gain access to confidential data and also trigger a denial-of-service attack.

The vulnerability of the modules/proxy/modproxy.c component of the Apache HTTP Server is related to a lack of mechanisms for encoding or shielding output data. Exploiting this vulnerability can allow an attacker to gain access to confidential data, as well as cause service failures...

httpd: Encoding problem in mod_proxy

A flaw was found in the modproxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication...

httpd: Encoding problem in mod_proxy

A flaw was found in the modproxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication...

ALPINE-CVE-2024-38474

Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to...

CVE-2024-2597

Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting XSS vulnerability through /amssplus/modules/book/main/bookdetailschoolperson.php, in the 'bid' parameter. This vulnerability could allow a remote attacker to send a...

CVE-2024-2595

Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting XSS vulnerability through /amssplus/modules/book/main/bookdetailkhetperson.php, in the 'bid' parameter. This vulnerability could allow a remote attacker to send a...

CVE-2024-2596

Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting XSS vulnerability through /amssplus/modules/mail/main/selectsend.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially...

SAP NetWeaver ABAP Server 跨站脚本漏洞

SAP NetWeaver ABAP Server is a German SAP SAP company used as a Web application server for SAP products. A cross-site scripting vulnerability exists in SAP NetWeaver ABAP Server, which stems from a cross-site scripting XSS vulnerability due to insufficient encoding of user-controlled input. An...

libvpx: Heap buffer overflow in vp8 encoding in libvpx

A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a w...

IBM WebSphere Application Server 8.5.5.23 < 8.5.5.24 / 9.0.5.15 < 9.0.5.17 (7007857)

The IBM WebSphere Application Server running on the remote host is affected by a improper encoding flaw. IBM WebSphere Application Server 8.5 and 9.0 traditional could provide weaker than expected security, caused by the improper encoding in a local configuration file. Note that Nessus has not...

Mozilla: Out of bounds memory write from EncodeInputStream

The Mozilla Foundation Security Advisory describes this flaw as: When encoding data from an inputStream in xpcom the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write...

CVE-2022-25987

Improper handling of Unicode encoding in source code to be compiled by the IntelR C++ Compiler Classic before version 2021.6 for IntelR oneAPI Toolkits before version 2022.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access...

SUSE CVE-2020-27845

There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability...

SUSE CVE-2022-22818

The % debug % template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS...

Dell PowerScale OneFS 加密问题漏洞

Dell PowerScale OneFS is an operating system from Dell USA Inc. Dell PowerScale OneFS is vulnerable to an encryption issue stemming from a weak encoding of passwords. A malicious, locally privileged attacker could exploit this vulnerability to cause information disclosure...

libreoffice: Weak Master Keys

A flaw was found in LibreOffice, where the master key was poorly encoded, resulting in weakening its entropy from 128 to 43 bits. This issue makes the stored passwords that are encrypted with a single master key provided by the user vulnerable to a brute force attack if an attacker has access to...

CVE-2022-39017 XSS in all comments fields in M-Files Hubshare

Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments...

CVE-2022-22571

An authenticated high privileged user can perform a stored XSS attack due to incorrect output encoding in Incapptic connect and affects all current versions...