20 matches found
EUVD-2022-1868
Malicious code in bioql PyPI...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
GO-2022-0427 Unprotected file upload in github.com/swaggo/http-swagger
The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors...
http-swagger XSS via PUT requests
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
GHSA-49W7-5R33-JM9M http-swagger XSS via PUT requests
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
Code injection
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
CVE-2024-25712
The CVE(S) concern http-swagger (Go package) affects http-swagger before 1.2.6, where an uploaded file via httpSwagger.WrapHandler and the in‑memory WebDAV filesystem (*webdav.memFile) can later be retrieved with a GET request, enabling XSS via PUT uploads. The issue is confirmed in multiple sour...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
CVE-2024-25712
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
GHSA-XG75-Q3Q5-CQMV Denial of Service in http-swagger
Impact Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system. Patches Yes. Please upgrade to v1.2.6. Workarounds A workaround is to restrict the path prefix to the "GET" method. As shown below func main r := mux.NewRouter...
PT-2022-28166 · Unknown · Http-Swagger
Name of the Vulnerable Software and Affected Versions: http-swagger versions prior to 1.2.6 Description: The issue allows an attacker to perform a denial-of-service DOS attack consisting of memory exhaustion on the host system and cross-site scripting XSS attacks by uploading malicious files. Thi...
CVE-2022-24863
A flaw was found in http-swagger. This flaw allows an attacker to perform a denial of service attack consisting of memory exhaustion on the host system due to improper handling of HTTP methods...
CVE-2022-24863
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down...
Design/Logic Flaw
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down...
CVE-2022-24863 Denial of service in http-swagger
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down...
CVE-2022-24863
CVE-2022-24863 affects the http-swagger package (wrapper for Swagger 2.0 docs). Versions prior to 1.2.6 are vulnerable due to improper handling of HTTP methods, enabling a denial-of-service via memory exhaustion on the host. The issue is mitigated by upgrading to 1.2.6 or by restricting the path ...
CVE-2022-24863 Denial of service in http-swagger
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down...
CVE-2022-24863 Denial of service in http-swagger
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down...