34 matches found
CVE-2026-39825 ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...
CVE-2026-39825
CVE-2026-39825 concerns Go’s ReverseProxy (net/http/httputil). The issue: ReverseProxy forwards query parameters that are not visible to Rewrite/Director functions parsing parameters via url.ParseQuery. It does not respect ParseQuery’s limit on total query parameters (controlled by GODEBUG=urlmax...
CVE-2026-39825
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...
GO-2026-4976 ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...
Tandoor Recipes SQL注入漏洞
Tandoor Recipes is an open-source application designed for managing recipes, planning meals, creating shopping lists, and more. Versions of Tandoor Recipes prior to 2.6.0 contained a SQL injection vulnerability. This vulnerability stemmed from the Recipe API endpoint exposing a hidden debug query...
CVE-2022-35520
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml...
EUVD-2020-13697
Malware in sbrugna...
CVE-2022-34188
Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
Travel Website SQL Injection Vulnerability
Travel Website is a PHP-based travel website. A SQL injection vulnerability exists in Travel Website v1.0, which occurs when the hotelIDHidden parameter on the generateReceipt.php page is processed without filtering the data and sent to the database for processing...
grafana: Spoofing of the originalUrl parameter of snapshots
A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard" button...
USN-6293-1: OpenStack Heat vulnerability
It was discovered that OpenStack Heat incorrectly handled certain hidden parameter values. A remote authenticated user could possibly use this issue to obtain sensitive data...
IBM: RXSS in hidden parameter
RXSS in hidden parameter was reported to IBM, analyzed, and has been remediated. The vulnerability was a reflected cross-site scripting issue found in a hidden parameter...
Code injection
An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page...
Pluck CMS 代码注入漏洞
Pluck is a content management system CMS developed using the PHP language. A security vulnerability exists in Pluck CMS version 4.7.10-dev2, which originates from a vulnerability that allows an attacker to execute arbitrary php code via the hidden parameter of admin.php while editing a page...
PT-2023-11568 · Pluck Cms · Pluck Cms
Name of the Vulnerable Software and Affected Versions: Pluck CMS version 4.7.10-dev2 Description: The issue allows a remote attacker to execute arbitrary php code via the hidden parameter to "admin.php" when editing a page. Recommendations: For Pluck CMS version 4.7.10-dev2, as a temporary...
USN-6066-1 heat vulnerability
It was discovered that OpenStack Heat incorrectly handled certain hidden parameter values. A remote authenticated user could possibly use this issue to obtain sensitive data...
CVE-2022-35520
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml...
GHSA-JHFV-8936-G652 Cross-site Scripting in Jenkins Hidden Parameter Plugin
Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation of this...
Cross-site Scripting in Jenkins Hidden Parameter Plugin
Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation of this...
CVE-2022-34188
Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...