Crlf injection

CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via certain byte sequences at the end of a URL. NOTE: some of these details are obtained from third party information...

CVE-2009-2816

The implementation of Cross-Origin Resource Sharing CORS in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to...

CVE-2009-2816

The implementation of Cross-Origin Resource Sharing CORS in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to...

Stable Update: Fix Google Chrome not Starting

Google Chrome's Stable channel has been updated to 3.0.195.33 to fix a potential issue that could cause Google Chrome to stop working and a security issue. This release removes a dependency on a Windows library t2embed.dll that is not required by Google Chrome. If that library is missing or the...

CVE-2009-2820

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle 1 HTTP headers and 2 HTML templates, which allows remote attackers to conduct cross-site scripting XSS attacks and HTTP response splitting attacks via vectors related to a...

CVE-2009-2820

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle 1 HTTP headers and 2 HTML templates, which allows remote attackers to conduct cross-site scripting XSS attacks and HTTP response splitting attacks via vectors related to a...

tomcat6 Denial-Of-Service with AJP connection

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and modjk load balancing are used, allows remote attackers to cause a denial of service application outage via a crafted request with invalid headers, related to temporary blocking of...

CVE-2009-2820

The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle 1 HTTP headers and 2 HTML templates, which allows remote attackers to conduct cross-site scripting XSS attacks and HTTP response splitting attacks via vectors related to a...

CGI Generic SSI Injection (HTTP headers)

The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings and seem to be vulnerable to an 'SSI injection' attack. By leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host. %NASLMINLEVEL 70300 C Tenable Network...

CGI Generic SQL Injection (HTTP Headers)

By sending specially crafted HTTP headers to one or more CGI scripts hosted on the remote web server, Nessus was able to cause an error in the underlying database. This error suggests that the CGI scripts are prone to SQL injection attack. An attacker may be able to exploit this issue to bypass...

CVE-2009-3877

Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.127, and SDK and JRE 1.4.x before 1.4.224 allows remote attackers to cause a denial of service memory consumption via crafted HTTP headers, which are not...

Code injection

Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.127, and SDK and JRE 1.4.x before 1.4.224 allows remote attackers to cause a denial of service memory consumption via crafted HTTP headers, which are not...

CVE-2009-3877

CVE-2009-3877 affects Sun Java SE/JRE/JDK across multiple releases: JRE/JDK 5.0 before Update 22, JRE/JDK 6 before Update 17, and older 1.3.x before 1.3.1_27 and 1.4.x before 1.4.2_24. Root cause: the ASN.1 DER input stream parser fails to properly parse crafted HTTP headers, enabling a remote at...

EUVD-2009-3848

Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.127, and SDK and JRE 1.4.x before 1.4.224 allows remote attackers to cause a denial of service memory consumption via crafted HTTP headers, which are not...

CVE-2009-3877

Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.127, and SDK and JRE 1.4.x before 1.4.224 allows remote attackers to cause a denial of service memory consumption via crafted HTTP headers, which are not...

KLA10344 Multiple vulnerabilities in Sun Java SE

Multiple serious vulnerabilities have been found in SUN Java SE. Malicious users can exploit these vulnerabilities to cause denial of service or bypass authentication. Below is a complete list of vulnerabilities 1. Unknown vectors can be exploited remotely via specially designed HTTP headers or...

SuSE9 Security Update : nagios-www (YOU Patch Number 10984)

An integer overflow exists within the handling of HTTP headers by CGIs. This could lead to arbitrary code execution by remote attackers on behalf of the Nagios CGI scripts. CVE-2006-2162 has been assigned to this issue. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The text description of...

CVE-2009-3018

Maxthon Browser 3.0.0.145 Alpha with Ultramode does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to 1 injecting a Refresh header that contains a javascript: URI, 2...

CVE-2009-3015

QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to 1 injecting a Refresh header that contains a javascript: URI, 2...

Cross site scripting

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to 1 injecting ...