SUSE CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Process Mining . CVE-2022-42252

Summary There is a vulnerability in Apache Tomcat that could allow an attacker to execute XSS on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2022-42252 DESCRIPTION: Apache...

CVE-2022-45102

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections...

Design/Logic Flaw

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections...

CVE-2022-45102

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections...

CVE-2022-45102

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections...

PT-2023-14605 · Dell Emc · Dell Emc Data Protection Central

Name of the Vulnerable Software and Affected Versions: Dell EMC Data Protection Central versions 19.1 through 19.7 Description: The issue allows a remote unauthenticated attacker to potentially exploit it by injecting arbitrary Host header values, which could lead to web cache poisoning or trigge...

Security Bulletin: Apache Tomcat is vulnerable to HTTP request smuggling (CVE-2022-42252)

Summary Apache Tomcat is vulnerable to HTTP request smuggling, caused by the failure to reject a request containing an invalid Content-Length header when configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false. By sending a specially-crafted request, an attacker could...

Security Bulletin: IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256)

Summary This issue may affect the management interface for the API Connect Gateway Service. IBM has addressed the CVE. Vulnerability Details CVEID:CVE-2022-35256 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly handle header fields that are not...

WordPress Permalink Manager Lite Cross-Site Request Forgery Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in WordPress Permalink Manager Lite 2.2.20.1 and prior versions, which stems from missing or...

WordPress plugin Permalink Manager Lite 跨站请求伪造漏洞

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in WordPress Permalink Manager Lite 2.2.20.1 and prior versions, which stems from missing or...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Node.js vulnerabilities (CVE-2022-35256 and CVE-2022-35255)

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to CVE-2022-35256 and CVE-2022-35255 for Node.js with details below Vulnerability Details CVEID:CVE-2022-35256 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the failure to...

Security Bulletin: IBM Sterling Order Management Netty 4.1.34 vulnerablity

Summary Netty could provide various potential exploitable entry points icnluding weaker than expected security, netty-codec is vulnerable to a denial of service, and HTTP request smuggling Vulnerability Details CVEID:CVE-2021-37136 DESCRIPTION: Netty netty-codec is vulnerable to a denial of...

[Security Nation] James Kettle of PortSwigger on Advancing Web-Attack Research

!\Security Nation\ James Kettle of PortSwigger on Advancing Web-Attack Researchhttps://blog.rapid7.com/content/images/2022/10/securitynationlogo.jpg In this episode of Security Nation, Jen and Tod talk to James Kettle of PortSwigger. Their discussion includes research for new web-attack technique...

Security Bulletin: Vulnerability in Pallets Werkzeug may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-29361)

Summary HTTP request smuggling vulnerability in Pallets Werkzeug can affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore. Vulnerability Details CVEID:CVE-2022-29361 DESCRIPTION: Pallets Werkzeug is vulnerable to HTTP request smuggling, caused by improper parsing of HTTP...

Web Cache Poisoning

A caching system has been detected on the application and is vulnerable to web cache poisoning. By manipulating specific unkeyed inputs headers or cookies that are not included when generating the cache key it was possible to force the caching system to cache a response that contains...

U.S. Dept Of Defense: Host Header Injection on https://███/████████/Account/ForgotPassword

Dear DoD Team, I found one high bug on your another domain. This is from Hack US Program. Affected domain is https://█████/ An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on...

CVE-2022-32214

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

CVE-2022-32215

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

CVE-2022-32213

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...