GO-2024-3135 HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik

HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik...

CVE-2024-45410

Traefik vulnerability CVE-2024-45410 involves hop-by-hop header handling where X-Forwarded-Host/X-Forwarded-Port (and related headers) could be modified by a client in HTTP/1.1, enabling header manipulation that trusted backend apps may rely on for security decisions. The issue arises from how Tr...

CVE-2024-45410 HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modif...

CVE-2024-45410 HTTP client can remove the X-Forwarded headers in Traefik

Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modif...

CVE-2024-45410

A flaw was found in Traefik. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since t...

GHSA-62C8-MH53-4CQV HTTP client can manipulate custom HTTP headers that are added by Traefik

Impact There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers except the header X-Forwarded-For. Patches - https://github.com/traefik/traefik/releases/tag/v2.11.9 - https://github.com/traefik/traefik/releases/tag/v3.1.3 Workarounds No workaround. For more...

CVE-2024-7873 Stored XSS in Veribilim Software's Veribase Order Management

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting', Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting XSS...

CVE-2024-7873 Stored XSS in Veribilim Software's Veribase Order Management

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting', Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting XSS...

Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. "Unlike other phishing webpage distribution behavior through HTML content, these attacks use the...

[SECURITY] Fedora 41 Update: haproxy-3.0.4-1.fc41

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

[SECURITY] Fedora 40 Update: haproxy-2.9.10-1.fc40

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

Flask-AppBuilder's login form allows browser to cache sensitive fields

Impact Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Patches Upgrade flask-appbuilder to version 4.5.1 Workarounds If upgrading is not possible configure your web server to send the...

GHSA-FW5R-6M3X-RH7P Flask-AppBuilder's login form allows browser to cache sensitive fields

Impact Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Patches Upgrade flask-appbuilder to version 4.5.1 Workarounds If upgrading is not possible configure your web server to send the...

CVE-2024-45314

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If...

CVE-2024-45314 Flask-AppBuilder login form allows browser to cache sensitive fields

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If...

CVE-2024-45314

CVE-2024-45314 affects Flask-AppBuilder: the auth DB login form allows the browser to cache sensitive data. Affected component is the login form; root cause is default cache directives exposing data in shared environments. Version 4.5.1 fixes the issue. If upgrading is not possible, a workaround ...

CVE-2024-45314

Removed by vendor...

CVE-2024-45314 Flask-AppBuilder login form allows browser to cache sensitive fields

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If...

CVE-2024-7923

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's modproxy not properly unsetting headers because of restrictions on underscores in HTTP headers,...

CVE-2024-7012

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's modproxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing...