Hoverfly 授权问题漏洞

Hoverfly is a lightweight open source API emulation tool open-sourced by SpectoLabs. An authorization issue vulnerability exists in Hoverfly 1.11.3 and earlier versions that originates from an unprotected WebSocket endpoint and could lead to information disclosure...

PT-2025-37098

Name of the Vulnerable Software and Affected Versions: Hoverfly versions 1.11.3 and prior Description: Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs lacks the authentication middleware present in the REST admin API. This allows an unauthenticated remote attacker to stream real-time...

Linux Distros Unpatched Vulnerability : CVE-2023-2848

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation. CVE-2023-2848 Not...

curl: CVE-2025-10148: predictable WebSocket mask

No AI was involved. Summary: The curl WebSocket implementation generates a fixed masking key at the beginning of a connection an re-uses it for every frame: Generation of masking key enc.mask in Curlwsaccept: https://github.com/curl/curl/blob/455afa1de5182b95a5dcc988f18cdff584b95239/lib/ws.cL1340...

Cross-Site WebSocket Hijacking (CSWSH)

github.com/komari-monitor/komari is vulnerable to Cross-Site WebSocket Hijacking CSWSH. The vulnerability is due to disabled origin checking in the WebSocket upgrader, which allows an attacker to send malicious requests using a victim’s browser cookies and achieve remote code execution...

Libsoup: denial of service attack to websocket server

...

Cross-Site WebSocket Hijacking (CSWSH)

github.com/komari-monitor/komari, is vulnerable to Cross-Site WebSocket Hijacking CSWSH. The vulnerability is due to disabled origin checking, which allows an attacker to hijack authenticated user WebSocket connections...

CVE-2025-34157

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to...

Linux Distros Unpatched Vulnerability : CVE-2022-37797

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In lighttpd 1.4.65, modwstunnel does not initialize a handler function pointer if an invalid HTTP request websocket handshake is received. It leads to null...

Linux Distros Unpatched Vulnerability : CVE-2021-32640

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantl...

Linux Distros Unpatched Vulnerability : CVE-2023-48230

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cap'n Proto is a data interchange format and capability-based RPC system. In versions 1.0 and 1.0.1, when using the KJ HTTP library with WebSocket compression...

Linux Distros Unpatched Vulnerability : CVE-2017-18922

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by...

SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2025:03006-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:03006-1 advisory. Updated to Tomcat 10.1.44: - CVE-2025-48989: Fixed 'MadeYouReset' DoS in HTTP/2 due to client triggered stream reset bsc12438...

Security update for tomcat10

This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.44: CVE-2025-48989: Fixed "MadeYouReset" DoS in HTTP/2 due to client triggered stream reset bsc1243895 Other fixes: Catalina Fix: Fix bloom filter population for archive indexing when using a packed WAR containing one or...

SUSE-SU-2025:03006-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.44: - CVE-2025-48989: Fixed 'MadeYouReset' DoS in HTTP/2 due to client triggered stream reset bsc1243895 Other fixes: - Catalina + Fix: Fix bloom filter population for archive indexing when using a packed WAR containing o...

SUSE SLES15 / openSUSE 15 Security Update : tomcat11 (SUSE-SU-2025:02992-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:02992-1 advisory. Updated to Tomcat 11.0.10 - CVE-2025-48989: Fixed 'MadeYouReset' DoS in HTTP/2 due to client triggered stream reset bsc124389...

CVE-2025-34157

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to...

CVE-2025-34157

CVE-2025-34157 concerns Coolify. A stored XSS in the project-creation workflow affects versions prior to 4.0.0-beta.420.6. An authenticated user with low privileges can craft a project name containing JavaScript, which when an administrator deletes the project executes in the admin context, enabl...

CVE-2025-34157 Coolify Stored Cross-Site Scripting (XSS) in Project Name Field

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to...

CVE-2025-34157

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to...