openSUSE: Security Advisory for rubygem-puma (SUSE-SU-2022:1515-1)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

GHSA-594H-CX6W-P4JF Typo3 Host Header Spoofing Vulnerability

TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing."...

GHSA-J8P3-8M69-2HQQ CakePHP allows remote attackers to spoof their IP

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header...

GHSA-WQ2P-Q66W-Q8GP Apache Tomcat Denial of Service vulnerability

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling 1 a large total amount of chunked data or 2 whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial o...

Akka HTTP 10.1.14 - Denial of Service

Exploit Title: Akka HTTP Denial of Service via Nested Header Comments Date: 18/4/2022 Exploit Author: cxosmo Vendor Homepage: https://akka.io Software Link: https://github.com/akka/akka-http Version: Akka HTTP 10.1.x 10.1.15 & 10.2.x 10.2.7 Tested on: Akka HTTP 10.2.4, Ubuntu CVE : CVE-2021-42697...

Host Header Injection

craftcms/cms is vulnerable to host header injection. The vulnerability exists due to the lack of validation in the password reset token in processInvalidToken function of UsersController.php, allowing an attacker with valid email addresses or account names to manipulate the password reset...

Improper account password reset in Craft CMS

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must...

CVE-2022-29933

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must...

Default configuration

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must...

CVE-2022-29933

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must...

CVE-2022-29933

Craft CMS up to version 3.7.36 is affected by a password-reset poisoning vulnerability. An unauthenticated attacker who knows a valid username can reset the target account by supplying a crafted HTTP header (X-Forwarded-Host) to the password-reset URL at /index.php?p=admin/actions/users/send-pass...

CVE-2022-29167

A regular expression denial of service ReDoS was found in Hawk in its header parsing functionality. The issue arises from inadequate input validation in the Hawk.utils.parseHost function when processing untrusted input with regular expressions. This flaw allows an attacker to send a specially...

CVE-2022-29167 ReDoS vulnerability in header parsing in hawk

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP...

CVE-2021-29854

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the...

Cross site scripting

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the...

CVE-2021-29854

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the...

CVE-2022-26673

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting XSS attacks...

Cross site scripting

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting XSS attacks...

CVE-2022-26673 ASUS RT-AX88U - Stored XSS

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting XSS attacks...

CVE-2022-26673

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting XSS attacks...