CVE-2024-24827

Discourse (open source forum software) is vulnerable to a Denial of Service caused by no rate limit on POST /uploads. The CVE-2024-24827 entry notes that creating an upload is resource-intensive, and impact varies by site settings such as max_image_size_kb, max_attachment_size_kb, and max_image_m...

CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse

Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...

CVE-2024-24827 No rate limits on POST /uploads endpoint in Discourse

Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to...

The vulnerability in the Nginx Vhost Traffic Status (nginx-module-vts) web interface allows for cross-site scripting attacks (XSS) to be carried out by attackers who fail to protect the structure of the web page.

The vulnerability of the Nginx Vhost Traffic Status nginx-module-vts web interface is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks XSS using specially created HTTP...

Design/Logic Flaw

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service DoS type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the...

CVE-2024-24562 Security headers not set in vantage6-UI

vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit 68dfa6614 which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While ...

CVE-2024-24562 Security headers not set in vantage6-UI

vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit 68dfa6614 which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While ...

CVE-2024-24562 Security headers not set in vantage6-UI

vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit 68dfa6614 which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While ...

PT-2024-20453 · Docker +2 · Docker +2

Name of the Vulnerable Software and Affected Versions: vantage6-UI affected versions not specified Description: The issue is related to the absence of certain security headers in the vantage6-UI, which is the official user interface for the vantage6 server. This problem has been addressed in a...

ROS-2-2016

2.2016 Remote code execution in nginxCVE-2021-23017 1. Vulnerability Description: The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a single error in the ngxresolvercopyfunction when processing DNS responses. A remote...

ROS-2-1571

2.1571 Remote code execution in nginxCVE-2021-23017 1. Vulnerability Description: The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a single error in the ngxresolvercopyfunction when processing DNS responses. A remote...

ROS-2-1005

2.1005 Remote code execution in nginxCVE-2021-23017 1. Vulnerability Description: The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a single error in the ngxresolvercopyfunction when processing DNS responses. A remote...

The vulnerability in the Roxy-WI web interface for managing Haproxy, Nginx, Apache, and Keepalived allows a attacker to access protected information.

The vulnerability of the getconfig function in the /app/modules/config/config.py file of the Roxy-WI web interface for controlling Haproxy, Nginx, Apache, and Keepalived servers is related to the possibility of bypassing the path. Exploiting this vulnerability can allow a malicious actor to gain...

CVE-2024-26615

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmbdesc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smcrun nginx smcrun wrk -t 16 -c 1000 -d -H 'Connection...

Null pointer dereference

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmbdesc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smcrun nginx smcrun wrk -t 16 -c 1000 -d -H 'Connection...

CVE-2024-28101 Apollo Router's Compressed Payloads do not respect HTTP Payload Limits

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service DoS type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the...

Apollo Router's Compressed Payloads do not respect HTTP Payload Limits

Impact The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service DoS type vulnerability. When receiving compressed HTTP payloads, affected versions of the Route...

BIT-TYPO3-2023-24814

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

BIT-DISCOURSE-2022-31182 Cache poisoning via maliciously-formed request in Discourse

Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, beta and...

BIT-OPENRESTY-2020-36309

ngxhttpluamodule aka lua-nginx-module before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header...