mantis -- multiple vulnerabilities

Mantis 2.25.8 release reports: Security and maintenance release 0032432: Update guzzlehttp/psr7 to 1.9.1 CVE-2023-29197 0032981: Information Leakage on DokuWiki Integration CVE-2023-44394...

Mageia: Security Advisory (MGASA-2023-0241)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated mediawiki packages fix security vulnerability

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many...

MediaWiki < 1.35.11, 1.36.x < 1.38.7, 1.39.x < 1.39.4 Multiple Vulnerabilities - Windows

MediaWiki is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mediawiki:mediawiki"; ifdescripti...

Debian DSA-5447-1 : mediawiki - security update

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5447 advisory. Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, a bypass of...

FreeBSD : mediawiki -- multiple vulnerabilities (95dad123-180e-11ee-86ba-080027eda32c)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 95dad123-180e-11ee-86ba-080027eda32c advisory. - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are...

mediawiki -- multiple vulnerabilities

Mediawiki reports: T335203, CVE-2023-29197 Upgrade guzzlehttp/psr7 to = 1.9.1/2.4.5. T335612, CVE-2023-36674 Manualthumb bypasses badFile lookup. T332889, CVE-2023-36675 XSS in BlockLogFormatter due to unsafe message use...

GHSA-WXMH-65F7-JCVW Improper header name validation in guzzlehttp/psr7

Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.9.1 and 2.4.5...

HTTP Request Smuggling

guzzlehttp/psr7 is vulnerable to HTTP Request Smuggling. The vulnerability exists in assertHeader function of MessageTrait.php due to improper header parsing which allows an attacker to sneak in a newline \n into both the header name and value, resulting in HTTP cache poisoning and phishing attac...

CVE-2023-29197

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many...

CVE-2023-29197

CVE-2023-29197 affects guzzlehttp/psr7 (PHP). Root cause: improper header parsing that allows a newline character in header names/values, bypassing termination assumptions and enabling potential information disclosure or authorization bypass as described in the advisory chain. Affected releases r...

CVE-2023-29197

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many...

J-BusinessDirectory, 5.7.7 and prior, Other

In the J-BusinessDirectory version 5.8.3 we have updated guzzlehttp to the latest version, 7.5.0 and to PSR 2.1.5...

Mageia: Security Advisory (MGASA-2022-0338)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated mediawiki packages fix security vulnerability

Username is not escaped in the "welcomeuser" message T308471. Bundled guzzlehttp/guzzle has been updated to 6.5.8, fixing several issues CVE-2022-29248, CVE-2022-31042, CVE-2022-31043, CVE-2022-31090, CVE-2022-31091...

Authentication header is passed on by Nextcloud Server due to a vulnerable GuzzleHTTP version

None...

Information Disclosure

guzzlehttp/guzzle is vulnerable to information disclosure. The vulnerability exists in serveral functions in RedirectMiddleware.php because the change in port is not considered a change in origin when sending requests with header files which allows an attacker to gain access to sensitive header...

Information Disclosure

guzzlehttp/guzzle is vulnerable to information disclosure. The vulnerability exists because the checkRedirect function of RedirectMiddleware.php does not properly clear the CURLOPTHTTPAUTH option on a change of origin, allowing an attacker to get sensitive information through the Authorization...

Nextcloud: Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle)

Summary: Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade, this depency is out of date and it can leat to still authorization header. Steps To Reproduce:...

Information Disclosure

guzzlehttp/guzzle is vulnerable to information disclosure. The vulnerability exists because the modifyRequest function of RedirectMiddleware.php does not properly strip the authorization header or cookie header on a change in host or HTTP downgrade, allowing an attacker to get sensitive informati...