ALCASAR 'index.php' Crafted HTTP Header RCE

The ALCASAR network access controller hosted on the remote web server is affected by a remote code execution vulnerability due to not properly sanitizing user-supplied input to the 'host' HTTP header passed to the 'index.php' script. A remote, unauthenticated attacker can exploit this issue to...

CVE-2015-0219

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an underscore character instead of a - dash character in an HTTP header, as demonstrated by an X-AuthUser header...

CVE-2015-0219

CVE-2015-0219 affects Django: WSGI headers can be spoofed when an underscore is used instead of a dash in HTTP header names (e.g., X-Auth_User). Affected versions are Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3. The root cause is unclear from the provided initial document, b...

Open redirect

Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header...

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection Overview Sierra Wireless produces a mobile wi-fi hotspot device that is popular amongst telecommunication companies for re-branding to suit local markets. The AirCard 760S/762S/763S Web-based Administrative Console suffers from ...

CVE-2014-9575

VDG Security SENSE formerly DIVA before 2.3.15 allows remote attackers to bypass authentication, and consequently read and modify arbitrary plugin settings, via an encoded : colon character in the Authorization HTTP header...

Authentication flaw

VDG Security SENSE formerly DIVA before 2.3.15 allows remote attackers to bypass authentication, and consequently read and modify arbitrary plugin settings, via an encoded : colon character in the Authorization HTTP header...

CVE-2014-9575

CVE-2014-9575 affects VDG Security SENSE (formerly DIVA) before 2.3.15. A crafted encoded colon in the Authorization header allows remote attackers to bypass authentication and read/modify arbitrary plugin settings. Remediation: upgrade to 2.3.16 (or later) per available changelog. The reports co...

CVE-2014-9575

VDG Security SENSE formerly DIVA before 2.3.15 allows remote attackers to bypass authentication, and consequently read and modify arbitrary plugin settings, via an encoded : colon character in the Authorization HTTP header...

WordPress Simple Visitor Stat Plugin <= 4.5.2 BYPASS

Because of these vulnerabilities, the attackers can inject arbitrary HTML or web script via the HTTP User-Agent or HTTP Referer header. Solution No fix have been released...

Sql injection

SQL injection vulnerability in Php/Functions/logfunction.php in phpTrafficA 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via a User-Agent HTTP header...

CVE-2014-7263

Cross-site scripting XSS vulnerability in ULTRAPOP.JP i-HTTPD allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP header, a different vulnerability than CVE-2014-7261...

Cross site scripting

Cross-site scripting XSS vulnerability in ULTRAPOP.JP i-HTTPD allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP header, a different vulnerability than CVE-2014-7261...

CVE-2014-7263

CVE-2014-7263 : i-HTTPD (Windows) contains a flaw in processing HTTP headers that enables cross‑site scripting via a crafted header. The vulnerability allows a remote attacker to induce arbitrary script execution in a user’s browser. The JVN entry notes this is a separate issue from CVE-2014-7261...

JVN#87910097: i-HTTPD vulnerable to cross-site scripting

i-HTTPD is a web server for Windows. i-HTTPD contains a flaw in processing HTTP header, which may lead to cross-site scripting CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use i-HTTPD i-HTTPD is no longer being developed or maintained. It is...

Web Server Content-Disposition Cross-Site Scripting (CVE-2016-7168)

A cross-site scripting vulnerability exists in Content-Disposition HTTP header. Successful exploitation of this vulnerability would allow remote attackers to inject arbitrary web script into the affected system...

Apache Tomcat Multiple Vulnerabilities (Nov 2014)

Apache Tomcat is prone to multiple vulnerabilities. Copyright C 2014 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2014-8998

lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the pregreplace function with the eval switch...

Code injection

lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the pregreplace function with the eval switch...

CVE-2014-8998

lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the pregreplace function with the eval switch...