128 matches found
CVE-2021-3116
beforeupstreamconnection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion and versus or...
CVE-2019-16332
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS...
CVE-2019-10280
Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system...
CVE-2019-19684
nopCommerce v4.2.0 allows privilege escalation via file upload in Presentation/Nop.Web/Admin/Areas/Controllers/PluginController.cs via Admin/FacebookAuthentication/Configure because it is possible to upload a crafted Facebook Auth plugin...
GHSA-FGQ5-Q76C-GX78 vulnerabilities
Vulnerabilities for packages: thanos, secrets-store-csi-driver-provider-aws, aws-flb-firehose, datadog-agent, local-path-provisioner, secrets-store-csi-driver-provider-azure, crossplane-provider-azure, tailscale, kor, nri-nginx, dockerize, flux-image-automation-controller, prometheus-operator,...
GHSA-J6M3-GC37-6R6Q vulnerabilities
Vulnerabilities for packages: thanos, secrets-store-csi-driver-provider-aws, aws-flb-firehose, datadog-agent, local-path-provisioner, secrets-store-csi-driver-provider-azure, crossplane-provider-azure, tailscale, kor, nri-nginx, dockerize, flux-image-automation-controller, prometheus-operator,...
CVE-2024-32638
Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...
CVE-2025-23506
CVE-2025-23506 is a Reflected XSS in the WP IMAP Auth plugin affecting versions up to 4.0.1 (NotFound WP IMAP Auth). The root cause is improper neutralization of input during web page generation. CVSS 3.1 base score 7.1 (HIGH) with NETWORK attacker, no user privileges, and user interaction requir...
Session Fixation
org.jenkins-ci.plugins, oic-auth is vulnerable to Session Fixation. The vulnerability is due to the plugin failing to invalidate the previous session on login, allowing an attacker to reuse an old session...
ai.wavemaker.runtime:wavemaker-app-runtime-core (>=1.0.0-20260516144515 <=1.0.0.ee-20260528111216), cc.zzzyu.nacos:default-auth-plugin (=3.1.1) +140 more potentially affected by CVE-2024-38829 via org.springframework.ldap:spring-ldap-core (>=3.0.0 <=3.2.7)
org.springframework.ldap:spring-ldap-core MAVEN version =3.0.0, =1.0.0-20260516144515, =0.0.11, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.11.5 and more Source cves: CVE-2024-38829 Source advisory: OSV:GHSA-MQVR-2RP8-J7H4...
BIT-APISIX-2024-32638 Apache APISIX: Forward-Auth Request Smuggling
Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...
CVE-2024-32638
Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...
CVE-2024-32638
This CVE (CVE-2024-32638) concerns Apache APISIX and the forward-auth plugin, where an Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability exists. Affected versions are APISIX 3.8.0 and 3.9.0; upgrading to 3.8.1, 3.9.1, or newer mitigates the issue. The vulnerabili...
PT-2024-24735 · Apache · Apache Apisix
Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 3.8.0 through 3.9.0 Description: The issue is related to an Inconsistent Interpretation of HTTP Requests, also known as 'HTTP Request Smuggling', in Apache APISIX when using the forward-auth plugin. Recommendations: For...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: haproxy-ingress, wireguard-go, conftest, stakater-reloader, grpcurl, kots, dex, kubescape, terraform-provider-sendgrid, aactl, dgraph, node-problem-detector, hugo, kaf, nodetaint, scorecard, amass, nginx-mainline, flux-source-controller, memcached-exporter,...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Sami Ahmed Siddiqui HTTP Auth plugin = 0.3.2 versions...
CVE-2023-27435
The CVE-2023-27435 entry concerns the WordPress HTTP Auth Plugin, vulnerable in versions 0.3.2, with patch 1.0.0 indicated as the fix. Exploitability details in the connected docs show unauthenticated access as a consideration; exploitation status is not definitively provided beyond the CSRF cla...
CVE-2023-27435 WordPress HTTP Auth Plugin <= 0.3.2 is vulnerable to Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery CSRF vulnerability in Sami Ahmed Siddiqui HTTP Auth plugin = 0.3.2 versions...
PT-2023-21124 · Unknown · Sami Ahmed Siddiqui Http Auth Plugin
Name of the Vulnerable Software and Affected Versions: Sami Ahmed Siddiqui HTTP Auth plugin versions 0.3.2 and earlier Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended...
Code injection
Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted...