Bosch 多款产品跨站脚本漏洞

Bosch Access Professional Edition is an enterprise access control and security management solution.BOSCH VRM is an application software.Bosch BVMS is an application system. BOSCH VRM is an application software.Bosch BVMS is an application system.Bosch Access Easy Controller Bosch Aec is an...

Cross-site Scripting (XSS) - Reflected in emoncms/emoncms

Description EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities: 1 - one that is executed when a user tries to generate a new app whose name contains javascript code. The vulnerability leverages the default option of displayerrors within the processsettings.php file which produce unsanitized erro...

GHSA-Q3J3-W37X-HQ2Q Webcache Poisoning in symfony/http-kernel

Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfo...

Webcache Poisoning in symfony/http-kernel

Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfo...

CVE-2021-20844

CVE-2021-20844 affects Yamaha routers (RTX830, NVR510, NVR700W, RTX1210) via improper neutralization of HTTP request headers in the Web GUI, allowing a remote authenticated attacker to obtain sensitive information through a crafted page. Affected firmware versions are RTX830 <=15.02.17, NVR510...

CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request

Description When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we'v...

CVE-2021-42697

CVE-2021-42697 affects Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7, where parsing HTTP headers can stack-exhaust and enable a remote DoS via a User-Agent header containing deeply nested comments. Root cause: stack overflow during header parsing. Public advisories (GHSA/OSV) and explo...

[SECURITY] Fedora 35 Update: haproxy-2.4.4-1.fc35

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

Python < 3.5.10, 3.6.x < 3.6.12, 3.7.x < 3.7.9, 3.8.x < 3.8.5 Python Issue (bpo-39603) - Mac OS X

http.client in Python is prone to CRLF injection. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python"; ifdescription...

Python < 3.5.10, 3.6.x < 3.6.12, 3.7.x < 3.7.9, 3.8.x < 3.8.5 Python Issue (bpo-39603) - Windows

http.client in Python is prone to CRLF injection. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python"; ifdescription...

CVE-2018-19957

A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS...

ROS-2-1168

2.1168 Vulnerability in Curl CVE-2020-8177 1. Vulnerability Description: The vulnerability allows a local file on the system to be overwritten when accessing an attacker-controlled server. The problem only occurs when the "-J" "--remote-header-name" and "-i" "--head" options are used...

ROS-2-798

2.798 Vulnerability in Curl CVE-2020-8177 1. Vulnerability Description: The vulnerability allows a local file on the system to be overwritten when accessing an attacker-controlled server. The problem only occurs when the "-J" "--remote-header-name" and "-i" "--head" options are used...

[SECURITY] Fedora 33 Update: haproxy-2.2.16-1.fc33

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

envoyproxy/envoy: HTTP request with multiple value headers can bypass authorization policies

An authorization bypass vulnerability was found in envoyproxy/envoy. Envoy incorrectly evaluates an HTTP request with multiple value headers. This flaw allows an attacker to bypass rule policies that use the extauthz extension. The highest threat from this vulnerability is to confidentiality,...

CVE-2021-32777

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However,...

Debian DLA-2735-1 : ceph - LTS security update

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2735 advisory. - It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk...

EulerOS 2.0 SP8 : ceph (EulerOS-SA-2021-2288)

According to the versions of the ceph packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two...

CVE-2021-32598

An improper neutralization of CRLF sequences in HTTP headers 'HTTP Response Splitting' vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splittin...

CVE-2019-9514

A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RSTSTREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability...