11647 matches found
CVE-2019-5457
Cross-site scripting XSS vulnerability in min-http-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...
CVE-2019-5457
CVE-2019-5457 concerns a cross-site scripting (XSS) vulnerability in min-http-server (all versions). The root cause is failure to sanitize filenames in directory listings, allowing an attacker with access to the server file system to inject malicious characters into filenames and have JavaScript ...
Ruby: WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS)
The private instance method splitparamvalue in class WEBrick::HTTPAuth::DigestAuth uses a regular expression that is vulnerable to denial of service due to catastrophic backtracking. The regular expression is: ^\s\w-.\%!+=\s"\.|^""\s,? Source:...
CVE-2019-13955
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected...
CVE-2019-13954
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected...
CVE-2019-13954
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected...
Code injection
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected...
Code injection
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected...
CVE-2019-13954
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to memory exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system. Malicious code cannot be injected...
CVE-2019-13954
CVE-2019-13954 – MikroTik RouterOS before 6.44.5 is affected by a memory-exhaustion DoS vulnerability in the HTTP server. An authenticated remote attacker can send a crafted HTTP request to crash the HTTP server and, in some cases, reboot the system. Malicious code injection is not possible. The ...
CVE-2019-13955
Mikrotik RouterOS before 6.44.5 long-term release tree is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected...
Node.js third-party modules: [script-manager] Unintended require
I would like to report Unintended Require in script-manager. It allows loading arbitary non-production code js files. Module module name: script-manager version: 0.8.6 npm page: https://www.npmjs.com/package/script-manager Module Description node.js manager for running foreign and potentially...
Cross-site Scripting (XSS)
min-http-server is vulnerable to cross-site scripting XSS. The attack is due to lack of sanitization of filenames before rendering as HTML in listing directory page...
CVE-2019-2751
Vulnerability in the Oracle HTTP Server component of Oracle Fusion Middleware subcomponent: OHS Config MBeans. Supported versions that are affected are 12.1.3.0.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle...
CVE-2019-2751
Vulnerability in the Oracle HTTP Server component of Oracle Fusion Middleware subcomponent: OHS Config MBeans. Supported versions that are affected are 12.1.3.0.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle...
CVE-2019-2751
CVE-2019-2751 affects Oracle Fusion Middleware Oracle HTTP Server (OHS Config MBeans) with affected versions 12.1.3.0.0 and 12.2.1.3.0. The vulnerability allows an unauthenticated attacker with network access via HTTPS to read/modify data, enabling unauthorized access to Oracle HTTP Server data. ...
Security Bulletin: Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0196;CVE-2019-0197;CVE-2019-0211;CVE-2019-0215;CVE-2019-0217; and CVE-2019-0220)
Summary Apache HTTP Server has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections. Vulnerability Details This section includes the vulnerability details that affects the Rational...
CVE-2019-13980
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...
Remote code execution
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...
CVE-2019-13980
Directus 7 API (up to version 2.3.0) permits PHP uploads only when using Apache; with nginx, uploads/_/originals can lead to remote code execution. No exploitation details are provided in the given documents beyond this risk description. Remediation/patch details are not included in the connected...