CVE-2018-20149

WordPress vulnerability CVE-2018-20149 affects WordPress versions prior to 4.9.9 and 5.x prior to 5.0.1 when using Apache. The issue allows uploading crafted files that bypass MIME-type restrictions, enabling cross-site scripting (XSS) as demonstrated by a .jpg file without JPEG data. Debian/DSA ...

Medium: httpd24

Issue Overview: In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2...

Apache HTTP Server Denial of Service Vulnerability (CNVD-2018-25796)

Apache HTTP Server is the United States Apache Apache Software Foundation, an open source web server. The server is fast, reliable and can be expanded through a simple API. A denial of service vulnerability exists in Apache HTTP Server. A remote attacker can exploit this vulnerability by sending ...

CVE-2018-18864

Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed...

Design/Logic Flaw

Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed...

CVE-2018-18864

Loadbalancer.org Enterprise VA MAX before 8.3.3 is affected by an Unauthenticated Stored XSS in the Apache logs. The PacktStorm entry details two vulnerability paths: (1) input from Basic Auth username stored in the Apache Error Log (HTTPS only), and (2) injected JavaScript via URLs (/?) stored i...

CVE-2018-18864

Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed...

[SECURITY] Fedora 29 Update: php-7.2.12-1.fc29

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

[SECURITY] Fedora 28 Update: php-7.2.12-1.fc28

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

Security Bulletin: Rational Build Forge Security Advisory for Apache Tomcat and Apache HTTP Server (CVE-2018-11763; CVE-2018-11784)

Summary Apache Tomcat and Apache HTTP Server have security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections. Vulnerability Details This section includes the vulnerability details that...

Moderate: Red Hat Security Advisory: httpd24 security, bug fix, and enhancement update

An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, ...

httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of modcachesocache. The vulnerability is considere...

httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications

It has been discovered that the modsession module of Apache HTTP Server httpd, through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header...

httpd: <FilesMatch> bypass with a trailing newline in the file name

In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the...

Amazon Linux 2 : mod_http2 (ALAS-2018-1104)

In Apache HTTP Server, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.CVE-2018-11763 C Tenable...

Medium: mod_http2

Issue Overview: In Apache HTTP Server, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2...

SUSE-SU-2018:3582-1 Security update for apache2

This update for apache2 fixes the following issues: Security issues fixed: - CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2...

Amazon Linux AMI : mod_perl / mod24_perl (ALAS-2018-1085)

modperl allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because contrary to the documentation there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users...

The vulnerability of the Apache HTTP Server web server, related to insufficient validation of input data, allows attackers to cause service failures.

The vulnerability of the Apache HTTP Server is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to cause service interruptions by exhausting the number of simultaneous connections through continuous sending of Maximum Size SETTINGS type fram...

Ubuntu 18.04 LTS : Apache HTTP Server vulnerabilities (USN-3783-1)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3783-1 advisory. Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module incorrectly destroyed certain streams. A remote attacker could possibly use this issu...