CVE-2017-7687

When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of...

Cross site scripting

Cross-Site Scripting XSS exists in NexusPHP version v1.5 via the url path to usersearch.php...

Axis 2100 Network Camera 2.43 Cross Site Scripting

i?+ Title: Axis 2100 Network Camera 2.43 - Reflected XSS + Credits / Discovery: Nassim Asrir + Author Contact: [email protected] + Author Company: Henceforth + CVE: CVE-2017-12413 Vendor: =============== https://www.axis.com/ Vulnerability Type: =================== Reflected Cross Site Scripting...

CVE-2016-9879

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to...

Design/Logic Flaw

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to...

CVE-2016-9879

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to...

CVE-2016-9879

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to...

CVE-2016-9879

CVE-2016-9879 affects Spring Security 3.2.x/4.1.x/4.2.x prior to fixed versions. The root cause is how path parameters are handled in the Servlet API: getPathInfo() may include encoded "/" characters, allowing an attacker to bypass security constraints when a request contains a path parameter wit...

CVE-2016-9879

It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. Mitigation Use a Servlet container known not to include path...

Security Constraint Bypass

Spring security web is vulnerable to security constraint bypass. It does not consider URL path parameters when processing security constraints. By adding an URL path parameter with an encoded / to a request, an attacker is able to bypass a security constraint. The root cause of this issue is a la...

Horos 2.1.0 Web Portal - Directory Traversal

Horos 2.1.0 Web Portal Remote Information Disclosure Exploit Vendor: Horos Project Product web page: https://www.horosproject.org Affected version: 2.1.0 Summary: Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to develop a fully functional, 64-bit medical...

Directory Traversal

Overview Affected versions of bitty are vulnerable to directory traversal via the URL path in GET requests. Recommendation The bitty package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is...

CVE-2016-2165 Loggregator Request URL Paths | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation, VMware Cloud Foundry Versions Affected cf-release v231 and lower Description The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow maliciou...

URL Path Containing Suspicious Executable

Certain URL paths may be indicative of malicious executable files that are characteristic of the Locky ransomware. A remote attacker could entice unsuspecting users to access such URLs, leading to execution of malicious files on the affected system...

httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path

A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw to crash the httpd child process using a request that triggers a certain HTTP error...

Apache Httpd < 2.4.16 : Crash in ErrorDocument 400 handling

A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only...

CVE-2012-5057

CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter...

Crlf injection

CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter...

Khan Academy: Suffix of url-path is vulnerable to XSS-attack

PoC http://smarthistory.khanacademy.org/Campin"alert/BigBear/.html Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them...

Updated cups packages fix CVE-2014-2856

Updated cups packages fix security vulnerability: Cross-site scripting XSS vulnerability in scheduler/client.c in Common Unix Printing System CUPS before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the ispathabsolute function CVE-2014-2856...