Weblate: Weblate |Security Misconfiguration| Method Enumeration Possible on domain

Hi Team, I have found an instance in application where application is alllowing OPTIONS method to be processed in HTTP request from weblate.org and in response to my request i got the information that these methods are allowed by application server "GET, HEAD, OPTIONS" Ideally server should not...

Allowed HTTP Methods

There are a number of HTTP methods that can be used on a webserver OPTIONS, HEAD, GET, POST, PUT, DELETE etc.. Each of these methods perform a different function and each have an associated level of risk when their use is permitted on the webserver. By sending an HTTP OPTIONS request and a direct...

Misconfiguration in LIMIT directive of .htaccess file

There are a number of HTTP methods that can be used on a webserver for example OPTIONS, HEAD, GET, POST, PUT, DELETE etc.. Each of these methods perform a different function, and each has an associated level of risk when their use is permitted on the webserver. The directive within Apache's...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability (cisco-sa-20161207-ise1)

Cisco Identity Services Engine ISE contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of the affected system. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be...

CVE-2016-6026

The Configuration Manager in IBM Sterling Secure Proxy SSP 3.4.2 before 3.4.2.0 iFix 8 and 3.4.3 before 3.4.3.0 iFix 1 allows man-in-the-middle attackers to obtain sensitive information via an HTTP method that is neither GET nor POST...

Cisco Web Security Appliance Proxy Restrictions Bypass

According to its self-reported version, the Cisco Web Security Appliance WSA running on the remote host is affected by a security feature bypass vulnerability that allows an unauthenticated, remote attacker to bypass proxy restrictions via improper or malformed HTTP methods. C Tenable Network...

Multiple Cisco Finesse Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in Cisco Finesse could allow an unauthenticated, remote attacker to conduct cross-site scripting XSS attacks. The vulnerabilities are due to improper input validation of certain parameters passed via HTTP GET or POST methods to an affected device. An unauthenticated, remo...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the Cisco Identity Services Engine ISE Infra Admin UI could allow an unauthenticated, remote attacker to perform a cross-site scripting XSS attack. The vulnerability is due to insufficient input validation of some parameters passed via HTTP GET or POST methods. An attacker coul...

HTTP Methods (CAN-2003-0109; CVE-2007-1560; CVE-2015-1499)

...

Cisco Web Security Appliance HTTP Proxy Bypass Vulnerability

A vulnerability in the proxy engine of the Cisco Web Security Appliance WSA could allow an unauthenticated, remote attacker to bypass the security restriction. The vulnerability is due to improper handling of malformed HTTP methods. An attacker could exploit this vulnerability by crafting an...

Cisco Jabber Guest Server Cross-Site Scripting Vulnerability

Cisco Jabber Guest Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against the user of the web interface of the affected system. The vulnerability is due to insufficient input validation of some parameters...

X (Formerly Twitter): Options Method Enabled

Vuln Details: Domain: https://vine.co/ I detected that OPTIONS method is allowed. This issue is reported as extra information. Impact: Information disclosed from this page can be used to gain additional information about the target system Remedy: Disable OPTIONS method in all production systems...

iOS QuickOffice 3.1.0 - HTTP Method Remote DoS

No description provided by source. Exploit: QuickOffice v3.1.0 for iPhone/iPod Touch Malformed HTTP Method Remote DoS Date: 14/06/2010 Author: Nishant Das Patnaik Website: http://nishantdaspatnaik.yolasite.com Software Link: http://itunes.apple.com/us/app/quickoffice-connect/id304673686?mt=8...

Oracle Linux 5 : piranha (ELSA-2014-0174)

The remote Oracle Linux 5 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2014-0174 advisory. 0.8.4-26.1.0.1 - Replace web/web/RedHat.gif with updated image in tarball 0.8.4-26.1 - Resolves: 1061903 - require authentication for all HTTP methods 0.8.4-26 ...

allowed_methods

This plugin finds which HTTP methods are enabled for a URI. Two configurable parameters exist: execOneTime reportDavOnly If "execOneTime" is set to True, then only the methods in the webroot are enumerated. If "reportDavOnly" is set to True, this plugin will only report the enabled method list if...

CVE-2011-4085

The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication ...

IBM WebSphere Sensor Events多个输入验证漏洞

BUGTRAQ ID: 53859 IBM WebSphere Sensor Events可提供创建和管理企业级传感器的中间件基础架构。 IBM WebSphere Sensor Events在实现上存在P001414 XSS、文件路径遍历、不安全HTTP方法、searchView.jsp中的deferredView.jsp XSS问题内的P001538跨站脚本执行漏洞, 攻击者可利用这些漏洞窃取Cookie身份验证凭证、执行非法操作或泄漏敏感信息。 0 IBM WebSphere Sensor Events 7.0 厂商补丁： IBM ---...

Low: Red Hat Security Advisory: JBoss Enterprise Application Platform 5.1.2 update

JBoss Enterprise Application Platform 5.1.2, which fixes two security issues, various bugs, and adds several enhancements is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System...

http-method-tamper NSE Script

Attempts to bypass password protected resources HTTP 401 status by performing HTTP verb tampering. If an array of paths to check is not set, it will crawl the web server and perform the check against any password protected resource that it finds. The script determines if the protected URI is...

Nmap NSE net: http-methods

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. Optionally tests each method individually to see if they are subject to e.g. IP address restrictions. In this script, 'potentially risky' methods are anything except GET, HEAD,...