CVE-2024-25286

...

CVE-2024-25286

CVE-2024-25286 concerns a CSRF vulnerability in the 3DSecure 2.0 system, specifically the “3DS Authorization Method” of Redsys (3DSecure 2.0). The issue allows an attacker to submit unauthorized form data by manipulating HTTP Origin and Referer headers, potentially triggering unauthorized transac...

CVE-2024-25286

...

CVE-2024-8927

In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, HTTPREDIRECTSTATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP...

CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision

In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, HTTPREDIRECTSTATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP...

CVE-2024-8927

CVE-2024-8927 affects PHP CGI: in PHP 8.1.x/8.2.x/8.3.x, the CGI wrapper relies on the HTTP_REDIRECT_STATUS variable to determine if a CGI binary is run by the server. In some configurations this value can be influenced by HTTP headers, bypassing cgi.force_redirect and potentially enabling arbitr...

CVE-2024-8927 cgi.force_redirect configuration is bypassable due to the environment variable collision

In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, HTTPREDIRECTSTATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP...

CVE-2024-43683

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers.This issue affects TimeProvider 4100: from 1.0...

CVE-2024-43683

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers.This issue affects TimeProvider 4100: from 1.0...

CVE-2024-43683

CVE-2024-43683 affects Microchip TimeProvider 4100 (from v1.0). The issue is an improper verification of the Host header leading to a URL Redirection to an untrusted site, enabling cross-site scripting via HTTP headers (open redirect). Public documents indicate affected versions start at 1.0, but...

CVE-2024-43683 Improper verification of the Host header in TimeProvider 4100

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers.This issue affects TimeProvider 4100: from 1.0...

Advisory ROSA-SA-2024-2479

Software: squid 3.5.20 OS: rosa-server79 packageevrstring: squid-3.5.20-17.0.1.res7.10 CVE-ID: CVE-2023-46728 BDU-ID: 2024-01221 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the Squid proxy server is related to pointer dereferencing errors. Exploitation of the vulnerability could allow an attacke...

PT-2024-25955 · Mastodon · Mastodon

Name of the Vulnerable Software and Affected Versions: Mastodon version 4.1.6 Description: The issue allows API endpoint rate limiting to be bypassed by setting a crafted HTTP request header. Recommendations: For Mastodon version 4.1.6, as a temporary workaround, consider restricting access to AP...

HCL Nomad 安全漏洞

HCL Nomad is an application from HCL USA for using and managing the Domino application development platform in mobile devices. A security vulnerability exists in HCL Nomad that stems from the default failure to configure certain HTTP security headers on Domino, which could allow an attacker to...

GO-2024-3135 HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik

HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik...

CVE-2024-45410 HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modif...

CVE-2024-45410 HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modif...

CVE-2024-45410

Traefik vulnerability CVE-2024-45410 involves hop-by-hop header handling where X-Forwarded-Host/X-Forwarded-Port (and related headers) could be modified by a client in HTTP/1.1, enabling header manipulation that trusted backend apps may rely on for security decisions. The issue arises from how Tr...

CVE-2024-45410

A flaw was found in Traefik. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since t...

GHSA-62C8-MH53-4CQV HTTP client can manipulate custom HTTP headers that are added by Traefik

Impact There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers except the header X-Forwarded-For. Patches - https://github.com/traefik/traefik/releases/tag/v2.11.9 - https://github.com/traefik/traefik/releases/tag/v3.1.3 Workarounds No workaround. For more...