Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

Summary forwardauth copyheaders deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through phpfastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with . This lets a client send an underscor...

WordPress Pearl plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion vulnerability

Cross-Site Request Forgery to Header Deletion vulnerability discovered by Noah Stead TurtleBurg in WordPress Plugin Pearl versions = 1.3.8...

CVE-2024-12206 Wordpress Header Builder Plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stmheaderbuilder page. This makes it possible for unauthenticated attackers to dele...

PT-2025-1779 · WordPress · Wordpress Header Builder Plugin – Pearl

Name of the Vulnerable Software and Affected Versions: The WordPress Header Builder Plugin – Pearl plugin for WordPress versions up to, and including, 1.3.8 Description: The issue is due to missing or incorrect nonce validation on the stm header builder page, making it possible for unauthenticate...

How to delete duplicate HSTS header

Explain how to eliminate the duplicate HSTS header Duplicated header HSTS Why? it could come from a backend server, and also being applied from the ADC Vserver configuration, so we need to decide which header to keep. In this case, the client wants to delete the HSTS header coming from the server...