CVE-2014-9650

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions...

CVE-2014-9650

RabbitMQ server (versions 2.1.0–3.4.x, before 3.4.1) contains a CRLF injection vulnerability in the management plugin. The /api/definitions download parameter can inject arbitrary HTTP headers, enabling HTTP response splitting. This remote issue could expose or affect data in responses; no exploi...

CVE-2014-9650

CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions...

Ruby on Rails: RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access th...

Crlf injection

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL...

CVE-2014-8150

CVE-2014-8150 is a CRLF injection flaw in libcurl 6.0–7.x prior to 7.40.0. When using an HTTP proxy, an attacker can inject arbitrary HTTP headers and trigger HTTP response splitting via CRLF sequences in the URL. The vulnerability is demonstrated in the public description: it affects libcurl and...

KLA10446 CI vulnerability in Mozilla products

Improper interpretation of HTTP headers was found in Mozilla products. By exploiting this vulnerability malicious users can inject cookie. This vulnerability can be exploited via specially designed HTTP headers. Original advisories MFSA Related products Mozilla-Firefox Mozilla-Thunderbird...

Nearby Live: Web Server information disclosure.

Dear sirs. Seems to have a vulnerability that exposed Web System information through the HTTP Headers Methods. As a PoC run: nc -vv www.wnmlive.com 80 DNS fwd/rev mismatch: www.wnmlive.com != ec2-54-67-11-12.us-west-1.compute.amazonaws.com www.wnmlive.com 54.67.11.12 80 http open OPTIONS / HTTP/1...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in simple-visitor-stat.php in the Simple visitor stat plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 HTTP User-Agent or 2 HTTP Referer header...

CVE-2014-9059

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...

Cross site scripting

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...

CVE-2014-9059

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...

CVE-2014-9059

CVE-2014-9059 affects Moodle builds up to 2.7.3 (and older 2.4.x–2.6.x ranges shown in sources). The vulnerability is that lib/setup.php does not emit charset information in HTTP headers, which could allow remote attackers to perform cross-site scripting (XSS) using UTF-7 characters during intera...

CVE-2014-9059

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...

CVE-2014-6151

CRLF injection vulnerability in IBM Tivoli Integrated Portal TIP 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors...

CVE-2014-6151

CVE-2014-6151 : CRLF injection in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and perform HTTP response splitting via unspecified vectors. Affected: TIP bundled with Tivoli Network Manager (e.g., TIP 2.2.x in NM 4.1/4.1.1). Remediati...

CVE-2014-3021

IBM WebSphere Application Server WAS 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method...

Design/Logic Flaw

IBM WebSphere Application Server WAS 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method...

[SECURITY] [DLA 71-1] apache2 security update

Package : apache2 Version : 2.2.16-6+squeeze14 CVE ID : CVE-2013-5704 CVE-2014-3581 This update fixes two security issues with apache2. CVE-2013-5704 Disable the possibility to replace HTTP headers with HTTP trailers as this could be used to circumvent earlier header operations made by other...

DLA-71-1 apache2 - security update

Bulletin has no description...