3718 matches found
CVE-2015-5178
CVE-2015-5178 affects Red Hat JBoss Enterprise Application Platform (EAP) / WildFly up to version 6.4.3 where the Management Console did not send X-Frame-Options, enabling clickjacking via a crafted page containing a FRAME/IFRAME. Remediation per RHSA-2015:1906 is to upgrade to 6.4.4 (EAP/WildFly...
CVE-2015-5178
The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly formerly JBoss Application Server does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a 1 FRAME or 2...
CVE-2015-5251
OpenStack Image Service Glance before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/...
Mac OS X : OS X Server < 5.0.15 Multiple Vulnerabilities
The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.15. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to an assertion flaw that is triggered when parsing malformed DNSSEC keys. An unauthenticated, remo...
Re: CVE-2015-5204: HTTP header injection vulnerability in Apache Cordova File Transfer Plugin for Android
CVE-2015-5204: HTTP header injection vulnerability in Apache Cordova File Transfer Plugin for Android Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Cordova Android File Transfer Plugin 1.2.1 and below Description: Android applications built with the Cordova framework...
CVE-2015-7031
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors...
Design/Logic Flaw
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors...
CVE-2015-7031
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors...
PT-2016-12: HTTP Header Injection in VMware vCenter Server and ESXi
The specialists of the Positive Research center have detected an HTTP Header Injection vulnerability in VMware vCenter Server and ESXi. The application does not properly sanitize user input before using it in HTTP response headers that allows a malicious user to inject arbitrary headers into HTTP...
Kallithea 0.2.9 - 'came_from' HTTP Response Splitting
Kallithea 0.2.9 camefrom HTTP Response Splitting Vulnerability Vendor: Kallithea Product web page: https://www.kallithea-scm.org Version affected: 0.2.9 and 0.2.2 Summary: Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that...
Kallithea 0.2.9 HTTP Response Splitting Vulnerability
Kallithea suffers from a HTTP header injection response splitting vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'camefrom' parameter in the login instance. This type of attack not only allows a malicious user to control the...
Kallithea 0.2.9 - came_from HTTP Response Splitting
Kallithea 0.2.9 - camefrom HTTP Response Splitting Kallithea 0.2.9 camefrom HTTP Response Splitting Vulnerability Vendor: Kallithea Product web page: https://www.kallithea-scm.org Version affected: 0.2.9 and 0.2.2 Summary: Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd,...
Kallithea 0.2.9 HTTP Response Splitting
Kallithea 0.2.9 camefrom HTTP Response Splitting Vulnerability Vendor: Kallithea Product web page: https://www.kallithea-scm.org Version affected: 0.2.9 and 0.2.2 Summary: Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that...
Imgur: Content Sniffing not enabled
The HTTP header X-Content-Type-Options was not set to nosniff. This can cause some browsers to try to determine the content/encoding type of a response, which is an undesired behavior...
Avira Management Console Server HTTP Header Processing Heap Buffer Overflow
A heap buffer overflow vulnerability has been reported in Avira Management Console Server. The vulnerability exists in the way Update Manager Service handles overly long HTTP headers. A remote unauthenticated attacker could exploit this vulnerability by sending crafted HTTP requests to the server...
Apache Cordova plugin cordova-plugin-file-transfer vulnerable to HTTP header injection
Overview cordova-plugin-file-transfer, a plugin for Apache Cordova provided by the Apache Software Foundation, provides functionality to upload and download files in applications created by Apache Cordova. It also provides functionality to add HTTP headers. Android applications that use...
JVN#21612597: Apache Cordova plugin cordova-plugin-file-transfer vulnerable to HTTP header injection
cordova-plugin-file-transfer, a plugin for Apache Cordova provided by the Apache Software Foundation, provides functionality to upload and download files in applications created by Apache Cordova. It also provides functionality to add HTTP headers. Android applications that use...
CVE-2015-5251
OpenStack Image Service Glance before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/...
CVE-2015-2917
Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a 1 FRAM...
Design/Logic Flaw
Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a 1 FRAM...