CVE-2024-40084

CVE-2024-40084 describes a remote, unauthenticated buffer overflow in the Boa webserver used by the Vilo 5 Mesh WiFi System (versions

CVE-2024-40084

A Buffer Overflow in the Boa webserver of Vilo 5 Mesh WiFi System = 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via exceptionally long HTTP methods or paths...

Mass-Assigner - Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests

Mass Assigner is a powerful tool designed to identify and exploit mass assignment vulnerabilities in web applications. It achieves this by first retrieving data from a specified request, such as fetching user profile data. Then, it systematically attempts to apply each parameter extracted from th...

CVE-2024-35209

A vulnerability has been identified in SINEC Traffic Analyzer 6GK8822-1BG01-0BA0 All versions V1.2. The affected web server is allowing HTTP methods like PUT and Delete. This could allow an attacker to modify unauthorized files...

CVE-2024-35209

CVE-2024-35209 affects Siemens SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) prior to V1.2. The vulnerability is caused by the web server allowing dangerous HTTP methods (PUT and DELETE), which could let an attacker modify unauthorized files. Multiple connected sources confirm affected product/vers...

CVE-2024-35209

A vulnerability has been identified in SINEC Traffic Analyzer 6GK8822-1BG01-0BA0 All versions V1.2. The affected web server is allowing HTTP methods like PUT and Delete. This could allow an attacker to modify unauthorized files...

CVE-2024-23756

The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...

CVE-2024-23756

The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...

CVE-2024-23756

The CVE-2024-23756 issue affects Plone official Docker version 5.2.13 (5221) where HTTP PUT and DELETE methods are enabled, allowing unauthenticated attackers to upload or delete files on the server. Descriptions across multiple sources corroborate that the vulnerability enables dangerous actions...

CVE-2024-23756

The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 5221, allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server or deleting them...

CVE-2023-50327

IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification. IBM X-Force ID: 275109...

CVE-2023-50327 IBM PowerSC weak security

IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification. IBM X-Force ID: 275109...

Denial Of Service (DoS)

org.springframework: spring-web is vulnerable to Denial Of Service DoS. The vulnerability is due to a lack of validation for HTTP methods in DefaultServerRequestObservationConvention.java. This allows an attacker to inject specially crafted HTTP requests that may cause Denial of Service. Note tha...

opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Summary Autoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details HTTP method for requests can be easily set by an attacker to be random and long. PoC Send many...

GHSA-5RV5-6H4R-H22V opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Summary Autoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details HTTP method for requests can be easily set by an attacker to be random and long. PoC Send many...

2023 OWASP Top-10 Series: API8:2023 Security Misconfiguration

Welcome to the 9th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API8:2023 Security Misconfiguration. In this series we are taking an in-depth look at each category – the details, the impact and...

Oracle Linux 7 : python-twisted-web (ELSA-2020-1091)

The remote Oracle Linux 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2020-1091 advisory. 12.1.0-6 - Fix CVE-2019-12387 HTTP Header Injection Resolves: rhbz1721518 Tenable has extracted the preceding description block directly from the Oracle Linux...

GCP ESPv2 Hit with Critical API Authorization Bypass CVE-2023-30845

This post delves into a very impactful JWT Authentication Bypass vulnerability CVE-2023-30845 found in ESP-v2, an open-source service proxy that provides API management capabilities using Google Service Infrastructure. This vulnerability allows malicious API clients to bypass JWT authentication...

DEBIAN-CVE-2023-26130

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. Note: This issue is present due...

GHSA-GV7G-X59X-WF8F SvelteKit framework has Insufficient CSRF protection for CORS requests

Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery CSRF protection to its users. The protection is...