Amazon Linux AMI : nginx (ALAS-2023-1665)

The version of nginx installed on the remote host is prior to 1.18.0-1.44. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1665 advisory. NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and...

Medium: nginx

Issue Overview: NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to corrupt NGINX worker memor...

The vulnerability of the utils.exec build method of the Nginx Proxy Manager web proxy server allows a hacker to execute arbitrary commands on the server.

The vulnerability of the utils.exec build method of the Nginx Proxy Manager proxy server exists because measures to eliminate special elements used in operating system commands have not been taken. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands on the server...

CVE-2023-23596

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an...

CVE-2023-23596

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an...

Command injection

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an...

CVE-2023-23596

CVE-2023-23596 affects jc21 NGINX Proxy Manager up to version 2.9.19. The issue arises when creating an access list: the backend builds an htpasswd file using crafted username/password inputs that are concatenated without validation and directly passed to an exec command, enabling potential OS co...

jc21 NGINX Proxy Manager 操作系统命令注入漏洞

jc21 Nginx Proxy Manager is a graphical user interface for managing Nginx servers. A security vulnerability exists in jc21 NGINX Proxy Manager version 2.9.19 and earlier versions. An attacker can exploit this vulnerability to execute arbitrary commands on the system...

CVE-2023-23596

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an...

PT-2023-5866

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.57 Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0 F5 NGINX products affected versions not specified gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3 IBM HTTP...

Transmission for YunoHost SQL注入漏洞

Transmission for YunoHost is a YunoHost transmission package from the individual developers of YunoHost-Apps. Transmission for YunoHost suffers from a SQL injection vulnerability that originates from an unknown function in the file conf/nginx.conf that is manipulated to cause path traversal...

PT-2023-11817 · Yunohost · Transmission Ynh

Name of the Vulnerable Software and Affected Versions: YunoHost-Apps transmission ynh affected versions not specified Description: A critical vulnerability has been found in YunoHost-Apps transmission ynh, affecting an unknown function of the file conf/nginx.conf. The manipulation leads to path...

Security Bulletin: A vulnerability in nginx may affect IBM Robotic Process Automation for Cloud Pak resulting in a denial of service (CVE-2022-41741, CVE-2022-41742)

Summary There is a vulnerability in nginx used by IBM Robotic Process Automation for Cloud Pak as part of the container ingress controller that may result in a denial of service. This bulletin identifies the security fixes to apply to address this vulnerability. Vulnerability Details...

Fedora 35 : nginx (2022-97de53f202)

The remote Fedora 35 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-97de53f202 advisory. Security: processing of a specially crafted mp4 file by the ngxhttpmp4module might cause a worker process crash, worker process memory disclosure, o...

VulnCheck KEV: CVE-2022-31137

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocessexecute function without processing the inputs received from the user in...

Fedora 36 : nginx (2022-b0f5bc2175)

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-b0f5bc2175 advisory. Security: processing of a specially crafted mp4 file by the ngxhttpmp4module might cause a worker process crash, worker process memory disclosure, o...

Spitfire CMS 1.0.475 PHP Object Injection

Spitfire CMS 1.0.475 cmsbackupvalues PHP Object Injection Vendor: Claus Muus Product web page: http://spitfire.clausmuus.de Affected version: 1.0.475 Summary: Spitfire is a system to manage the content of webpages. Desc: The application is prone to a PHP Object Injection vulnerability due to the...

Spitfire CMS 1.0.475 PHP Object Injection Vulnerability

Spitfire CMS version 1.0.475 is prone to a PHP object injection vulnerability due to the unsafe use of unserialize function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input...

Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection

Summary Spitfire is a system to manage the content of webpages. Description The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests t...

CVE-2022-23470

Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and...