url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is...

Netgear RAX43 缓冲区错误漏洞

The Netgear RAX43 is a router from the American company Netgear. A hardware device that connects two or more networks and acts as a gateway between them. A buffer overflow vulnerability exists in Netgear RAX43 version 1.0.3.96. The vulnerability is caused by the URL parsing functionality of the...

OPENSUSE-SU-2021:1592-1 Security update for nim

This update for nim fixes the following issues: - CVE-2021-41259: Fixed vulnerability in URL parser that allowed a null byte bypass boo1192712 This update was imported from the openSUSE:Leap:15.2:Update update project...

Security update for nim (moderate)

openSUSE Security Update: Security update for nim Announcement ID: openSUSE-SU-2021:1592-1 Rating: moderate References: 1192712 Cross-References: CVE-2021-41259 CVSS scores: CVE-2021-41259 NVD : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP2 An...

Security update for nim (moderate)

openSUSE Security Update: Security update for nim Announcement ID: openSUSE-SU-2021:1585-1 Rating: moderate References: 1192712 Cross-References: CVE-2021-41259 CVSS scores: CVE-2021-41259 NVD : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Affected Products: openSUSE Leap 15.2 An update that...

OPENSUSE-SU-2021:1585-1 Security update for nim

This update for nim fixes the following issues: - CVE-2021-41259: Fixed vulnerability in URL parser that allowed a null byte bypass boo1192712...

in osticket/osticket

Description The URL parser incorrectly parses the URL given IFrame src attributes. An attacker is able to inject iframe elements linking to arbitrary domains which can be viewed by admins, bypassing the embedded domain whitelist. Proof of Concept will render malicious-server site rather than...

Prototype Pollution in GraphHopper

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

GHSA-QHXH-9HHX-6P7V Prototype Pollution in GraphHopper

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

URL -parse 输入验证错误漏洞

Arnout Kazemier url-parse is an application by the individual developer Arnout Kazemiere Arnout Kazemier, USA. It provides url parsing. An input validation error vulnerability exists in URL -parse, which stems from the fact that URL -parse is prone to URL redirection to untrusted sites...

Prototype Pollution

graphhopper-web-bundle is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes through URL parser and modify attributes such as proto, constructor and prototype...

CVE-2021-23408

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

Design/Logic Flaw

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408

CVE-2021-23408 affects com.graphhopper:graphhopper-web-bundle. The root cause is a prototype pollution in the URL parser that can add/modify properties on Object.prototype via constructor or proto payload. Affected versions: before 3.2, and 4.0-pre1 through before 4.0. Remediation: upgrade to Gra...

CVE-2021-23408 Prototype Pollution

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

PT-2021-15499 · Graphhopper · Graphhopper-Web-Bundle

Name of the Vulnerable Software and Affected Versions: com.graphhopper:graphhopper-web-bundle versions prior to 3.2 com.graphhopper:graphhopper-web-bundle versions 4.0-pre1 through 4.0 Description: The issue affects the URL parser, which could be tricked into adding or modifying properties of...

graphhopper 安全漏洞

graphhopper is a software application. A fast and memory efficient Java routing engine, released under the Apache License 2.0. A security vulnerability exists in graphhoppe, which stems from the possibility that the URL parser could be tricked into adding or modifying properties of an Object. The...

The vulnerability of the php_url_parse_ex() function in the PHP interpreter allows a hacker to perform an SSRF attack.

The vulnerability of the phpurlparseex function in the PHP interpreter is related to insufficient validation of incoming requests. Exploiting this vulnerability allows a malicious actor to execute an SSRF attack remotely...