AlmaLinux 8 : thunderbird (ALSA-2022:8547)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2022:8547 advisory. - Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with...

CVE-2022-45411

The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...

UBUNTU-CVE-2022-45411

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers placed limits on fetch and XMLHttpReques...

CVE-2022-45411

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers placed limits on fetch and XMLHttpReques...

CVE-2022-39290 CSRF key bypass using HTTP methods in zoneminder

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CS...

CVE-2022-34773

Tabit - HTTP Method manipulation. https://bridge.tabit.cloud/configuration/addresses-query - can be POST-ed to add addresses to the DB. This is an example of OWASP:API8 – Injection...

CVE-2022-34773

Tabit - HTTP Method manipulation. https://bridge.tabit.cloud/configuration/addresses-query - can be POST-ed to add addresses to the DB. This is an example of OWASP:API8 – Injection...

Design/Logic Flaw

Tabit - HTTP Method manipulation. https://bridge.tabit.cloud/configuration/addresses-query - can be POST-ed to add addresses to the DB. This is an example of OWASP:API8 – Injection...

CVE-2022-34773 Tabit - HTTP Method manipulation

Tabit - HTTP Method manipulation. https://bridge.tabit.cloud/configuration/addresses-query - can be POST-ed to add addresses to the DB. This is an example of OWASP:API8 – Injection...

CVE-2022-34773

CVE-2022-34773 affects Tabit: HTTP Method manipulation via the endpoint https://bridge.tabit.cloud/configuration/addresses-query. The linked records describe that a POST to this URL can add addresses to the database, classed as OWASP API8 – Injection, indicating input/output handling weaknesses a...

CVE-2022-34773

Tabit - HTTP Method manipulation. https://bridge.tabit.cloud/configuration/addresses-query - can be POST-ed to add addresses to the DB. This is an example of OWASP:API8 – Injection...

Opencast < 9.10 HTTP Method Spoofing Vulnerability

Opencast is prone to an HTTP method spoofing vulnerability. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...

Duplicate Advisory: Improper Neutralization of CRLF Sequences in dio

Duplicate advisory This advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references. Original Description The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a...

GHSA-JWPW-Q68H-R678 Duplicate Advisory: Improper Neutralization of CRLF Sequences in dio

Duplicate advisory This advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references. Original Description The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a...

Duplicate Advisory: Improper Neutralization of CRLF Sequences in dio

Duplicate advisory This advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references. Original Description The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a...

GHSA-JMVV-524F-HJ5J Improper Handling of Exceptional Conditions in Apache Tomcat

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the origin...

Spring4Shell Spring Framework Class Property Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Spring Framework Class property RCE Spring4Shell', 'Description' = %q Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older...

CVE-2021-39241

haproxy has an input validation flaw that could allow a remote attacker to bypass implemented security restrictions. An HTTP method name may contain a space followed by the name of a protected resource. Given this, It is possible that an server would interpret this as a request for that protected...

Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to Insecure HTTP Method - TRACE discovered in MDM User Interface (CVE-2016-9718)

Summary IBM InfoSphere Master Data Management is vulnerable to a cross-site scripting Attack and could allow users to embed arbitrary JavaScript code in MDM User Interfaces and lead to disclosure of credentials. Insecure HTTP Method - TRACE discovered in MDM User Interface affects Inspector and W...

Denial Of Service (DoS)

github.com/swaggo/http-swagger is vulnerable to denial of service. The vulnerability exists in the Handler function in swagger.godue to the non-standard http method which allows an attacker to cause the system crash...