45 matches found
Use of Cache Containing Sensitive Information
Overview next is a react framework. Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the image optimization process, when responses from API routes vary based on request headers such as Cookie or Authorization. An attacker can gain unauthorized...
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers such as Cookie or Authorization, these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug...
Improper Access Control
umbraco.cms.api.delivery is vulnerable to improper access control. The vulnerability is due to output caching not varying by the API key authorization header, which allows an attacker to access cached API responses without a valid key if they were previously requested by an authorized user...
CVE-2024-0789
The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to...
UBUNTU-CVE-2024-10006
A vulnerability was identified in Consul and Consul Enterprise “Consul” such that using Headers in L7 traffic intentions could bypass HTTP header based access rules...
HashiCorp Consul 安全漏洞
HashiCorp Consul is a suite of distributed, highly available data center-aware solutions from HashiCorp, USA. The product is used to connect and configure applications across dynamically distributed infrastructures. A security vulnerability exists in HashiCorp Consul that stems from the use of...
PT-2024-8323 · Hashicorp +4 · Hashicorp Consul +4
Name of the Vulnerable Software and Affected Versions: Consul versions 1.9.0 through 1.20.0 Description: A vulnerability was identified in Consul and Consul Enterprise such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. This could allow a remote attacker ...
USN-6913-1 php-cas vulnerability
Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a vulnerable CASified service. This security update introduces an incompatible API change. Afte...
GHSA-G95V-3PJ6-J433 Ant Media Server does not properly authorize non-administrative API calls
Ant Media Server Community Edition in a default configuration is vulnerable to an improper HTTP header based authorization, leading to a possible use of non-administrative API calls reserved only for authorized users. All versions up to 2.9.0 tested and possibly newer ones are believed to be...
PT-2024-26036 · Ant Media Server · Ant Media Server Community Edition
Name of the Vulnerable Software and Affected Versions: Ant Media Server Community Edition versions prior to 2.9.0 Description: The issue is related to an improper HTTP header based authorization, allowing the use of non-administrative API calls reserved for authorized users. Recommendations: For...
CVE-2024-23308
When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based Content Profile for an Allowed U...
CVE-2024-23308 BIG-IP Advanced WAF and ASM vulnerability
When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based Content Profile for an Allowed U...
PT-2024-19799 · F5 · Big-Ip
Name of the Vulnerable Software and Affected Versions: BIG-IP affected versions not specified Description: When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition...
PYSEC-2024-27
CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...
HBSQLI - Automated Tool For Testing Header Based Blind SQL Injection
HBSQLI is an automated command-line tool for performing Header Based Blind SQL injection attacks on web applications. It automates the process of detecting Header Based Blind SQL injection vulnerabilities, making it easier for security researchers , penetration testers & bug bounty hunters to tes...
The vulnerability of the Apex One antivirus software is caused by deficiencies in the authentication process, which allows a hacker to download arbitrary files into the SampleSubmission directory.
The vulnerability of the anti-virus software Apex One is due to deficiencies in the authentication process. Exploiting this vulnerability allows a malicious actor to download arbitrary files into the SampleSubmission directory by using the Content-Length header in the HTTP PUT request sent to the...
CVE-2022-37724
Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces...
CVE-2022-37724
Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces...
Design/Logic Flaw
Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces...
CVE-2022-1614
The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based anti-spamming restrictions...