Hardcoded credentials

The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header...

CVE-2015-9472

CVE-2015-9472 affects the WordPress incoming-links plugin prior to 0.9.10b, where referrers.php XSS is triggered via the Referer HTTP header. Multiple connected sources (NVD, RH, CNVD, CVE listings) confirm a cross-site scripting vulnerability in this plugin. Public details describe the flaw and ...

CVE-2018-1067

It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value...

UBUNTU-CVE-2019-17420

In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the httpheader signature to not alert on a response with a single \r\n ending...

CVE-2019-17213

The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header...

Design/Logic Flaw

The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header...

CVE-2019-17213

CVE-2019-17213 affects the WebARX plugin for WordPress (version 1.3.0). The connected records confirm an unauthenticated stored cross-site scripting (XSS) vulnerability that can be triggered via the URI or the X-Forwarded-For HTTP header. The root cause is an XSS flaw in how input in the request ...

CVE-2019-17213

The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS via the URI or the X-Forwarded-For HTTP header...

CVE-2009-2281

Multiple heap-based buffer underflows in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x through 4.10.4 and 5.x before 5.4.2 allow remote attackers to execute arbitrary code via 1 a crafted Content-Length HTTP header or 2 a large HTTP request, related to an integer overflow tha...

PT-2019-15559 · Alt Linux Team +2 · Alt Linux +1

Name of the Vulnerable Software and Affected Versions: ClickHouse versions prior to 19.13.5.44 ALT Linux affected versions not specified Description: The issue allows HTTP header injection via the url table function. There is also a mention of a vulnerability in the ALT Linux package, but details...

HTTP response splitting in WEBrick (Additional fix)

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the...

GoAhead 2.5.0 - Host Header Injection Vulnerability

Exploit Title: GoAhead Web server HTTP Header Injection. Shodan Query: Server: Goahead Exploit Author: Ramikan Vendor Homepage: https://www.embedthis.com/goahead/ Affected Version: 2.5.0 may be others. Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers. Vendor Fix: N/A CVE : N/A CVSS...

[SECURITY] [DSA 4534-1] golang-1.11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4534-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 27, 2019 https://www.debian.org/security/faq -...

UBUNTU-CVE-2019-16869

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers such as a "Transfer-Encoding : chunked" line, which leads to HTTP request smuggling...

CVE-2019-16276

It was discovered that net/http through net/textproto in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or ...

Design/Logic Flaw

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header...

CVE-2015-9430

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header...

CVE-2015-9430

CVE-2015-9430 affects the Crazy Bone WordPress plugin (before version 0.6.0). The issue is an XSS vulnerability via the User-Agent HTTP header. Multiple connected sources confirm the same root cause and affected component. The wpvulndb entry additionally aligns with stored XSS scenarios for earli...

Design/Logic Flaw

The sitepress-multilingual-cms WPML plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header...

FreeBSD : jenkins -- multiple vulnerabilities (9720bb39-f82a-402f-9fe4-e2c875bdda83)

Jenkins Security Advisory : DescriptionMedium SECURITY-1498 / CVE-2019-10401 Stored XSS vulnerability in expandable textbox form control Medium SECURITY-1525 / CVE-2019-10402 XSS vulnerability in combobox form control Medium SECURITY-1537 1 / CVE-2019-10403 Stored XSS vulnerability in SCM tag...