CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity C language codebase...

PT-2023-9179 · Unknown +6 · Modsecurity +6

Name of the Vulnerable Software and Affected Versions: ModSecurity versions prior to 2.9.6 ModSecurity versions 3.x prior to 3.0.8 Description: The issue is related to the incorrect parsing of HTTP multipart requests, which could allow an attacker to bypass the Web Application Firewall. This is d...

UBUNTU-CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large e.g., 300KB HTTP request can occupy one of the limited NGINX worke...

PT-2021-5748 · Unknown +5 · Modsecurity +5

Name of the Vulnerable Software and Affected Versions: ModSecurity versions 2.8.0 through 2.9.4 ModSecurity versions 3.0.0 through 3.0.5 Description: The issue is related to the mishandling of excessively nested JSON objects, which can cause the web server to be unable to service legitimate...

PT-2021-4072 · Unknown · Modsecurity

Name of the Vulnerable Software and Affected Versions: ModSecurity versions 3.x before 3.0.4 ModSecurity version 3.0.4 is not affected, so the range can be simplified to versions prior to 3.0.4. Description: The issue is related to incorrect parsing of key-value pairs, which can lead to a "string...

Sql injection

cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file SEC-123...

CVE-2019-11391

An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with $a at the beginning and nested repetition operators. NOTE: the softwa...

CVE-2018-13065

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured...

CVE-2013-5705

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header...

CVE-2013-2765

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service NULL pointer dereference, process crash, and disk consumption via a POST request with a large body and a crafted Content-Type header...