CVE-2022-3941

A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack can be initiated remotely...

Design/Logic Flaw

A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack can be initiated remotely...

CVE-2022-3941 Activity Log Plugin HTTP Header neutralization for logs

A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack can be initiated remotely...

CVE-2022-3941

The CVE-2022-3941 entry describes a vulnerability in the Activity Log Plugin’s HTTP Header Handler, where manipulating the X-Forwarded-For argument causes improper output neutralization in logs. Affected component: HTTP Header Handler within the WordPress Activity Log Plugin. Impact as stated: re...

Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management

Summary IBM InfoSphere Master Data Management is affected by IBM WebSphere Application Server vulnerability to HTTP header injection when processing web requests. This has been addressed. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9...

Cisco Email Security Appliance HTTP Response Header Injection (cisco-sa-ESA-HTTP-Inject-nvsycUmR)

According to its self-reported version, Cisco Email Security Appliance is affected by a vulnerability due to a failure to sanitize input values. An unauthenticated, remote attacker can exploit this, by injecting malicious HTTP headers, in order to conduct an HTTP response splitting attack. Please...

Cisco Secure Email and Web Manager (SMA) HTTP Response Header Injection (cisco-sa-ESA-HTTP-Inject-nvsycUmR)

According to its self-reported version, Cisco Secure Email and Web Manager SMA is affected by a vulnerability due to a failure to sanitize input values. An unauthenticated, remote attacker can exploit this, by injecting malicious HTTP headers, in order to conduct an HTTP response splitting attack...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Business Automation Workflow (CVE-2022-34165)

Summary WebSphere Application Server Liberty is shipped as part of IBM Business Automation Workflow containers and as part of the optional components Process Federation Server since 8.5.6, and User Management Service since 18.0.0.1 in IBM Business Automation Workflow traditional. Information abou...

GHSA-8Q72-6QQ8-XV64 phpCAS vulnerable to Service Hostname Discovery Exploitation

Impact The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm CAS server to authenticate to the service protected by phpCAS...

CVE-2022-42252

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default for 8.5.x only, Tomcat did not reject a request containing an invalid Content-Length header making a...

CVE-2022-39369

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service CAS server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a...

CVE-2022-39026 e-Excellence Inc. U-Office Force - Stored XSS

U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS Stored Cross-Site Scripting attack...

PT-2022-24682 · U-Office · U-Office

Name of the Vulnerable Software and Affected Versions: U-Office affected versions not specified Description: The issue is related to insufficient filtering for special characters in the HTTP header fields of the UserDefault page. This allows a remote attacker with general user privilege to inject...

Security Bulletin: CP4D Match 360 is vulnerable to HTTP header injection within IBM WebSphere Application Server Liberty (CVE-2022-34165)

Summary CP4D Match 360 is vulnerable to HTTP header injection within IBM WebSphere Application Server Liberty. IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various...

CVE-2022-3409

CVE-2022-3409 concerns the bmcweb component of the OpenBMC project. The issue arises in the multipart_parser when handling unclosed HTTP headers: passing a long multipart form header without a colon can overwrite one byte on the heap, enabling repeated exploitation to cause a denial of service. T...

Security Bulletin: IBM Robotic Process Automation may be vulnerable to HTTP Header Injections due to IBM WebSphere Application Server Liberty (CVE-2022-34165)

Summary IBM WebSphere Applicaiton Server Liberty is used by IBM Robotic Process Automation as part of OCR, Antivirus, and User Management Services. CVE-2022-34165 Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere...

CVE-2022-29477

An authentication bypass vulnerability exists in the web interface /action/factory functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP header can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability...

Abode Systems, Inc. iota All-In-One Security Kit web interface /action/factory* authentication bypass vulnerability

Talos Vulnerability Report TALOS-2022-1554 Abode Systems, Inc. iota All-In-One Security Kit web interface /action/factory authentication bypass vulnerability October 20, 2022 CVE Number CVE-2022-29477 SUMMARY An authentication bypass vulnerability exists in the web interface /action/factory...

Information Disclosure

grafana is vulnerable to information disclosure. The vulnerability is due to the proxy endpoints leaking sensitive authentication tokens to some destination plugins which allows an attacker to gain access to HTTP header information...

CVE-2022-31130

Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with...