GO-2024-2560 Open Redirect in github.com/greenpau/caddy-security

Open Redirect in github.com/greenpau/caddy-security...

GO-2024-2549 caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security

caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security...

GO-2024-2563 Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security...

GO-2024-2559 Cross-site Scripting in github.com/greenpau/caddy-security

Cross-site Scripting in github.com/greenpau/caddy-security...

Cross-site Scripting (XSS)

github.com/greenpau/caddy-security is vulnerable to Cross-site Scripting XSS via the Referer header. The vulnerability is due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for an attack...

Open Redirection

github.com/greenpau/caddy-security is vulnerable to Open Redirect. The vulnerability is caused when a user clicks on a specially crafted link with a redirecturl parameter while logged in, resulting in the user being redirected to an arbitrary site. The user must take an action, such as clicking o...

GHSA-R969-783F-6JQR Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS...

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication 2FA. Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this...

Open Redirect in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirecturl parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this...

GHSA-C7VF-M394-M4X4 Use of Insufficiently Random Values in github.com/greenpau/caddy-security

Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for...

GHSA-FF72-FF42-C3GW Cross-site Scripting in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

Cross-site Scripting in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

GHSA-VJ36-3CCR-6563 Authentication Bypass by Spoofing in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module /whoami API endpoint. This could lead to...

Insufficient Session Expiration in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers w...

CVE-2024-21497

Versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirecturl parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability,...

Server side request forgery (ssrf)

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery SSRF via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by...

Input validation

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead ...

CVE-2024-21498

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery SSRF via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by...

CVE-2024-21496

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

Server-side Request Forgery (SSRF)

Overview github.com/greenpau/caddy-security is a Security App and Plugin for Caddy v2. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or...