742 matches found
CVE-2023-31207 Automation user secret logged to Apache access log
Transmission of credentials within query parameters in Checkmk = 2.1.0p26, = 2.0.0p35, and = 2.2.0b6 beta may cause the automation user's secret to be written to the site Apache access log...
CVE-2023-31207
CVE-2023-31207 affects Checkmk; multiple connected sources confirm that transmitting credentials within query parameters can cause the automation user’s secret to be written to the site Apache access log. Affected streams include Checkmk versions ≤ 2.1.0p26, ≤ 2.0.0p35, and ≤ 2.2.0b6 (beta). The ...
PT-2023-23230 · Apache · Apache Http Server
Name of the Vulnerable Software and Affected Versions: Checkmk versions 2.1.0 through 2.1.0p26 Checkmk versions 2.0.0 through 2.0.0p35 Checkmk versions 2.2.0b6 and earlier Description: The issue involves the transmission of credentials within query parameters, potentially causing the automation...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration such that the token used in the password reset links remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3...
Open Redirect
keycloak-connect is vulnerable to Open Redirect. The vulnerability exists in the module.exports function of the check-sso.js as it does not properly escape the slashes in the cleanUrl attribute, allowing an attacker to redirect the user to malicious urls with query param prompt=none when checking...
EulerOS 2.0 SP5 : golang (EulerOS-SA-2023-1505)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during...
directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or...
GHSA-4HMQ-GGRM-QFC6 directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or...
SUSE CVE-2023-25731
Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...
CVE-2023-27474 HTML Injection in Password Reset email to custom Reset URL in directus
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain...
Prototype Pollution
firefox is vulnerable to Prototype Pollution. The vulnerability exists due to the URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code...
K82679059: BIG-IP APM SSO vulnerability CVE-2016-3686
Security Advisory Description Cleartext SessionID is visible in URL query parameters under some conditions. CVE-2016-3686 Impact There is a theoretical risk that a user could obtain unauthorized access to the system, causing a security breach. Security Advisory Status F5 Product Development has...
Code injection
The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL...
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...
CVE-2023-25731
The Mozilla Foundation Security Advisory: Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code...
SUSE CVE-2008-2380
SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes...
SUSE CVE-2012-2695
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...
SUSE CVE-2021-23336
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...
UBUNTU-CVE-2023-25731
Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...
CVE-2023-25731
Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...