484 matches found
CVE-2016-9014
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...
CVE-2016-9014
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...
CVE-2016-9014
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...
CVE-2016-7965
DokuWiki 2016-06-26a and older uses $SERVERHTTPHOST instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header. The vulnerability can be triggered only if the Host...
CVE-2016-7965
DokuWiki 2016-06-26a and older uses $SERVERHTTPHOST instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header. The vulnerability can be triggered only if the Host...
Design/Logic Flaw
DokuWiki 2016-06-26a and older uses $SERVERHTTPHOST instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header. The vulnerability can be triggered only if the Host...
CVE-2016-7965
DokuWiki 2016-06-26a and older uses $SERVERHTTPHOST instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header. The vulnerability can be triggered only if the Host...
CVE-2016-7965
DokuWiki 2016-06-26a and older uses $SERVERHTTPHOST instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header. The vulnerability can be triggered only if the Host...
CVE-2016-2784
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting XSS attacks via a crafted HTTP Host header in a request...
CVE-2016-2784
CMS Made Simple is vulnerable to a cache-poisoning/XSS issue when Smarty Cache is active. A remote attacker can craft the Host header to poison the web server cache and modify links, potentially enabling XSS. Affected are CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2. Exploitation has be...
CVE-2016-2784
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting XSS attacks via a crafted HTTP Host header in a request...
Design/Logic Flaw
mimeheader.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue...
CVE-2016-4554
CVE-2016-4554 affects Squid and is a header smuggling flaw in mime_get_header_field() that can bypass same-origin protections and enable cache poisoning when Squid acts as a reverse/interception proxy. Connected advisories describe concurrent issues (CVE-2016-4051/4052/4053/4054) in ESI processin...
CVE-2016-4554
mimeheader.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue...
CVE-2016-4554
mimeheader.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue...
CVE-2016-4554
mimeheader.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue...
CVE-2016-2049
examples/consumer/common.php in JanRain PHP OpenID library aka php-openid improperly checks the openid.realm parameter against the SERVERNAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted...
Design/Logic Flaw
examples/consumer/common.php in JanRain PHP OpenID library aka php-openid improperly checks the openid.realm parameter against the SERVERNAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted...
CVE-2016-2049
examples/consumer/common.php in JanRain PHP OpenID library aka php-openid improperly checks the openid.realm parameter against the SERVERNAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted...
CVE-2016-1983
The clienthost function in parsers.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service invalid read and crash via an empty HTTP Host header...