363 matches found
CVE-2025-54500
An HTTP/2 implementation flaw allows a denial-of-service DoS that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit HTTP/2 MadeYouReset Attack. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...
UBUNTU-CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected...
CVE-2025-48989
CVE-2025-48989 is an Apache Tomcat vulnerability: an Improper Resource Shutdown or Release issue that affects Tomcat 11.0.x (11.0.0-M1–11.0.9), 10.1.x (10.1.0-M1–10.1.43), and 9.0.x (9.0.0.M1–9.0.107). The root cause is improper release/shutdown handling, exposing high-severity impact (availabili...
MadeYouReset: Turning HTTP/2 Server Against Itself
Introduction HTTP/2 was designed for performance- faster multiplexed connections, stream prioritization, and header compression. But these same features have also opened the door for sophisticated denial-of-service attacks. Back in 2023, the HTTP/2 Rapid Reset vulnerability made headlines after...
Apache Tomcat 安全漏洞
Apache Tomcat is the United States Apache Apache Foundation of a lightweight Web application server for the implementation of Servlet and JavaServer Page JSP support. Apache Tomcat suffers from a denial of service vulnerability due to a forced reset attack in the HTTP/2 implementation. An attacke...
www/varnish7 -- Denial of Service in HTTP/2
Varnish Development Team reports: A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for th...
CVE-2025-8310
Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password...
Fixed in Apache Tomcat 9.0.108
Important: DoS in HTTP/2 due to client triggered stream reset CVE-2025-48989 Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError. This was fixed with commit f36b8a4e. This issue was reported to the ASF...
Monero: Connection Count Bug in Monero Node Enables Outbound Peer Reset Attack
A vulnerability was disclosed that could cause a Monero node's outbound connections to be dropped. The vulnerability was caused by a flaw in how the node incorrectly counted the number of current outbound connections. An attacker could exploit this flaw to trick the node into mistakenly believing...
ZITADEL 输入验证错误漏洞
ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the container and serverless era from the Swiss ZITADEL open source. An input validation error vulnerability exists in ZITADEL versions prior to 3.2.2, which stems from a possible manipulation...
CVE-2024-38287
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator's password to a random insecure 8-digit value...
CVE-2020-18124
A cross-site request forgery CSRF vulnerability in Indexhibit 2.1.5 allows attackers to arbitrarily reset account passwords...
CVE-2025-1570
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directoristgeneratepasswordresetpincode and resetuserpassword functions...
CVE-2024-13364
CVE-2024-13364 — Raptive Ads (WordPress) vulnerability : The WordPress plugin Raptive Ads is vulnerable in all versions up to 3.6.3 due to missing capability checks in site_ads_files_reset() and cls_file_reset(), allowing unauthenticated attackers to reset the ad and cls files. The Wordfence-docu...
CVE-2025-26341
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests...
openSUSE: Security Advisory for nginx (SUSE-SU-2025:0282-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
SUSE: Security Advisory (SUSE-SU-2025:0282-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Security update for nginx
This update for nginx fixes the following issues: CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack bsc1216171 CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information bsc1229155 Patch Instructions: To install this SUSE update use the SUSE recommended...
SUSE-SU-2025:0283-1 Security update for nginx
This update for nginx fixes the following issues: - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack bsc1216171 - CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information bsc1229155...
SUSE-SU-2025:0282-1 Security update for nginx
This update for nginx fixes the following issues: - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack bsc1216171 - CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information bsc1229155...