CVE-2024-1135 HTTP Request Smuggling in benoitc/gunicorn

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

CVE-2023-30589

CVE-2023-30589 – Node.js (llhttp CRLF handling) – Technical summary The llhttp parser in Node.js’ http module does not strictly use CRLF to delimit HTTP header fields, potentially allowing HTTP Request Smuggling. The CR character alone (without LF) can delimit headers, contrary to RFC7230 which r...

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

Node.js: HTTP Request Smuggling via Empty headers separated by CR

HTTP Request Smuggling HRS was possible in Node.js v20.2.0 due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. The CR character without LF was sufficient to delimit HTTP header fields in the llhttp parser, which is not compliant with RFC7230...

Node.js: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields

Summary: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. Description: The following chunked request is processed. It should be rejected as Transfer-Encoding header obfuscatio...

CVE-2022-32214

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

GHSA-5689-V88G-G6RV llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding

The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS. Impacts: - All versions of the nodejs 18.x, 16.x, and 14.x releases lines. - llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that we...

CVE-2022-32213

CVE-2022-32213 concerns the llhttp parser in Node.js’ http module, where the parser may incorrectly parse and validate Transfer-Encoding headers, enabling HTTP Request Smuggling (HRS). The vulnerability is cited in multiple advisories (Debian, Red Hat, and Amazon Linux family) as part of a set in...

CVE-2022-32215

CVE-2022-32215 concerns the llhttp parser used by Node.js. The http module can mis-handle multi-line Transfer-Encoding headers in vulnerable builds, enabling HTTP Request Smuggling (HRS). Affected are Node.js ships with llhttp < v14.20.1, < v16.17.1, and

CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...

CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...

Detecting HTTP Request Smuggling with Qualys WAS

HTTP Request Smuggling HRS is a web application vulnerability that enables an attacker to craft a single request that hides a second request within the body of the first request. HRS enables the following types of attack: Web cache poisoning Web cache deception Session hijacking Cross-site...

hrs-bg.com XSS vulnerability

Open Bug Bounty ID: OBB-713516 Description| Value ---|--- Affected Website:| hrs-bg.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden until...

jobs.hrs.de XSS vulnerability

Open Bug Bounty ID: OBB-339415 Description| Value ---|--- Affected Website:| jobs.hrs.de Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation Guide:| OWASP XSS Prevention Cheat Sheet...

Hotel Search HRS (New) - Customized SSL, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Hotel Search HRS New published at the 'play' market has multiple vulnerabilities...

HRS Holidays - Customized SSL, External URLs, KeyStore usage vulnerabilities

HackApp vulnerability scanner discovered that application HRS Holidays published at the 'play' market has multiple vulnerabilities...

HRS App - Dangerous filesystem permissions, Redefined SSL Common Names verifier, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application HRS App published at the 'play' market has multiple vulnerabilities...

CVE-2008-4204

SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System HRS allows remote attackers to execute arbitrary SQL commands via the city parameter...

Sql injection

SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System HRS allows remote attackers to execute arbitrary SQL commands via the city parameter...

CVE-2008-4204

CVE-2008-4204 is a SQL injection vulnerability in the City.asp component of SoftAcid Hotel Reservation System (HRS). The vulnerability is triggered via the city parameter, potentially allowing an attacker to execute arbitrary SQL commands on the backend. The NVD entry lists a CVSS v2 base score o...