Updated ruby packages fix security vulnerability

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object bas...

www/awstats -- Partial absolute pathname

MITRE reports: It seems 90 is not completely fixed in 7.8. that is, even after CVE-2017-1000501 and CVE-2020-29600 are fixed. In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname omitting the initial /etc, even though it was intended to only read a file in the...

HTTP Response Splitting

ruby is vulnerable to http response splitting. The vulnerability exists when applications use untrusted user input either to generate an HTTP response or to create a cgi cookie object...

CVE-2022-40603

A cross-site scripting XSS vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an...

Cross site scripting

A cross-site scripting XSS vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an...

Zyxel USG/ZyWALL 跨站脚本漏洞

Zyxel USG/ZyWALL is a firewall from China Heqin Zyxel. A security vulnerability exists in Zyxel USG/ZyWALL versions prior to V4.73, VPN versions prior to V5.32, USG FLEX versions prior to V5.32, and ATP versions prior to V5.32, which stems from a Cross-Site Scripting XSS vulnerability in a CGI...

CVE-2022-40603

A cross-site scripting XSS vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an...

Exploit for Path Traversal in Apache Http_Server

Exploit for Apache2 Exploit for path transversal vulnerabilit...

CVE-2022-4257

A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be...

CVE-2021-33621

A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients...

Exploit for Server-Side Request Forgery in Perfsonar

Vendor: perfSONAR Link: https://github.com/perfsonar/ Affected V...

Slackware Linux 15.0 / current ruby Vulnerability (SSA:2022-328-01)

The version of ruby installed on the remote host is prior to 3.0.5 / 3.1.3. It is, therefore, affected by a vulnerability as referenced in the SSA:2022-328-01 advisory. - The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is releva...

FreeBSD : rubygem-cgi -- HTTP response splitting vulnerability (84ab03b6-6c20-11ed-b519-080027f5fec9)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 84ab03b6-6c20-11ed-b519-080027f5fec9 advisory. - The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response...

Slackware: Security Advisory (SSA:2022-328-01)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[slackware-security] ruby

New ruby packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/ruby-3.0.5-i586-1slack15.0.txz: Upgraded. This release includes a security fix: HTTP response splitting in CGI. For more information,...

PT-2022-6575 · NetGear · Netgear Rax30

Name of the Vulnerable Software and Affected Versions: NETGEAR RAX30 affected versions not specified Description: The issue is related to the handling of JSON data and results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based...

rubygem-cgi -- HTTP response splitting vulnerability

Hiroshi Tokumaru reports: If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If an application create...

HTTP response splitting in CGI

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body. Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object bas...

Improper Input Validation

Overview cgi is a Support for the Common Gateway Interface protocol. Affected versions of this package are vulnerable to Improper Input Validation due to improper validation of CGI::Cookie content, which allows an attacker to inject invalid attributes in the Set-Cookie header and insert a newline...

HTTP response splitting in CGI

Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to...