137 matches found
UBUNTU-CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
Internet Bug Bounty: TLS client authentication can be bypassed due to ticket resumption
The TLS client authentication can be bypassed due to ticket resumption. The issue was that TLS session tickets were not properly isolated for multiple virtual hosts in one server. This allowed a ticket issued for one virtual host to be resumed at a different virtual host, circumventing client...
PT-2025-54828
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.14 Apache Tomcat versions 10.1.0-M1 through 10.1.49 Apache Tomcat versions 9.0.0-M1 through 9.0.112 Apache Tomcat versions 8.5.0 through 8.5.100 Description Tomcat did not properly validate the hos...
PT-2025-29117
Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.35 through 2.4.63 Description: In certain mod ssl configurations, an access control bypass is possible for trusted clients using TLS 1.3 session resumption. This occurs when mod ssl is configured for multiple...
Virtual Hosts Detected
This is an informational plugin to inform the user that the scanner detected the presence of one or multiple virtual hosts on the target server. No source data...
ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting
Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...
GHSA-MXJF-HC9V-XGV2 ExtJS JavaScript framework used in TYPO3 vulnerable to Cross-site Scripting
Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, https enforcement, password reset links and many more. Since the host header itself is provided by the client...
BIT-TYPO3-2021-41114
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the...
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Imagemagick
auto-cve-2022-44268 Automating expl...
SUSE CVE-2009-0754
PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.funcoverload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server...
SUSE CVE-2018-10847
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of...
GHSA-9PF7-F47Q-MWPQ Cross-site Scripting in RabbitMQ
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious use...
CVE-2021-43437
In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. Thi...
httpd:2.4 security update
httpd 2.4.37-43.0.1 - Set vstring per ORACLESUPPORTPRODUCT Orabug: 29892262 - Replace index.html with Oracle's index page oracleindex.html. 2.4.37-43 - Related: 2007235 - CVE-2021-40438 httpd:2.4/httpd: modproxy: SSRF via a crafted request uri-path 2.4.37-42 - Resolves: 2007235 - CVE-2021-40438...
httpd:2.4 security, bug fix, and enhancement update
httpd 2.4.37-41.0.1 - Add checks on the configured UDS path Orabug: 33412270CVE-2021-40438 - Set vstring per ORACLESUPPORTPRODUCT Orabug: 29892262 - Replace index.html with Oracles index page oracleindex.html 2.4.37-41 - Resolves: 1680111 - httpd sends reply to HTTPS GET using two TLS records -...
HTTP Host Header Injection
Meta CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C 3.5 Problem It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend...
HTTP Host Header Injection in Request Handling
It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can b...