File Thingie 2.5.7 Shell Upload

!/usr/bin/python Exploit Title: File Thingie 2.5.7 - Remote Code Execution RCE Google Dork: N/A Date: 27th of April, 2023 Exploit Author: Maurice Fielenbach grimlockx - Hexastrike Cybersecurity UG haftungsbeschränkt Software Link: https://github.com/leefish/filethingie Version: 2.5.7 Tested on: N...

Debian DSA-5397-1 : wpewebkit - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5397 advisory. - Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page...

Stored XSS at User-Agent of Headers

Description Stored XSS attack, also known as persistent XSS attack, refers to a type of web application vulnerability where the attacker injects malicious code or script into the web application, typically into a database or other storage mechanism, and later the code/script is delivered to an...

HTTP Multiline Header Termination

Impact Affected versions of Laminas Diactoros accepted a single line feed LF / \n character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due ...

Golang < 1.19.8 / 1.20.x < 1.20.3 Multiple Vulnerabilities

The version of Golang Go installed on the remote host is affected by multiple vulnerabilities, as follows: - HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can...

MGASA-2023-0145 Updated golang packages fix security vulnerability

DOS due to incorrect HTTP and MIME header parsing CVE-2023-24534 DOS due to incorrect Multipart form parsing CVE-2023-24536 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow...

CentOS 8 : nodejs:16 (CESA-2023:1582)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:1582 advisory. - The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular expression...

Design/Logic Flaw

Traefik pronounced traffic is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This...

CVE-2023-29013 HTTP header parsing could cause a deny of service

Traefik pronounced traffic is a modern HTTP reverse proxy and load balancer for deploying microservices. There is a vulnerability in Go when parsing the HTTP headers, which impacts Traefik. HTTP header parsing could allocate substantially more memory than required to hold the parsed headers. This...

The vulnerability of the Jenkins website builder, update-center2, related to errors in handling HTTP headers, allows attackers to perform cross-site scripting (XSS) attacks.

The vulnerability of the Jenkins website builder, Jenkins update-center2, is related to errors in handling HTTP headers. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting XSS attacks remotely...

haproxy security update

2.4.17-3.2 - Reject empty http header field names CVE-2023-25725, 2174174 2.4.17-3.1 - Refuse interim responses with end-stream flag set CVE-2023-0056, 2174172...

AZL-52878 CVE-2023-24534 affecting package golang for versions less than 1.20.7-1

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...

AZL-26027 CVE-2023-24534 affecting package msft-golang for versions less than 1.20.7-1

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...

AZL-79066 CVE-2023-24534 affecting package golang 1.25.7-1

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...

AZL-37484 CVE-2023-24534 affecting package golang for versions less than 1.21.6-1

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...

AZL-25990 CVE-2023-24534 affecting package golang for versions less than 1.20.7-1

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...

Rocky Linux 8 : nodejs:16 (RLSA-2023:1582)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:1582 advisory. - The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular expression...

Fedora 38 : nodejs16 / nodejs18 / nodejs20 (2023-973319d5b7)

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-973319d5b7 advisory. Fixes for virtual Provides/Requires of nodejs and nodejs-devel ---- Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18 ---...

CVE-2023-27488

A flaw was found in Envoy which could allow an attacker to bypass authentication checks when extauthz is used by crafting a malicious http header with a non-UTF8 value...

CVE-2023-27493 Envoy doesn't escape HTTP header values

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values ...