CVE-2024-10086

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS...

CVE-2024-10086

CVE-2024-10086 affects Consul and Consul Enterprise. The issue arises when the server response does not explicitly set a Content-Type header, allowing user-provided inputs to be interpreted under an unintended context and potentially lead to reflected XSS. The available sources confirm the vulner...

CVE-2024-10006

CVE-2024-10006 affects Consul and Consul Enterprise. The issue enables bypassing HTTP header based access rules by manipulating Headers in L7 traffic intentions. The vulnerability is defined in public advisories and CVSS vectors indicate high impact (noting different scope/impact across sources)....

CVE-2024-43424

Sharp and Toshiba Tec MFPs improperly process HTTP request headers, resulting in an Out-of-bounds Read vulnerability. Crafted HTTP requests may cause affected products crashed...

Security Bulletin: IBM Observability with Instana for Self-Hosted Standard Edition is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana for Self-Hosted Standard Edition 281. Vulnerability Details CVEID:CVE-2022-41722 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories on the system, caused by a flaw in the filepath.Clean...

Medium: amazon-ssm-agent

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

CentOS 7 : squid (RHSA-2024:1787)

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1787 advisory. - Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4...

CVE-2024-8927

In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, HTTPREDIRECTSTATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP...

CVE-2024-8927

In PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, 8.3. before 8.3.12, HTTPREDIRECTSTATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP...

CVE-2024-34535

CVE-2024-34535 affects Mastodon 4.1.6. The issue allows bypassing API endpoint rate limiting by sending a crafted HTTP request header. Impact is described as potential exposure of higher-level access due to rate-limiting bypass, with CVSSv3.1 indicating Network attack, High confidentiality impact...

CVE-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header

authentik is an open-source identity provider. A vulnerability that exists in versions prior to 2024.8.3 and 2024.6.5 allows bypassing password login by adding X-Forwarded-For header with an unparsable IP address, e.g. a. This results in a possibility of logging into any account with a known logi...

CVE-2022-4541 WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header

The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2022-4541 WordPress Visitors <= 1.0 - Unauthenticated Stored Cross-Site Scripting via HTTP Header

The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

HTTP Header Injection

puma is vulnerable to HTTP Header Injection. The vulnerability is due to inadequate validation and prioritization of HTTP headers, where Puma does not properly distinguish between standard headers and those with underscores, allowing conflicting headers to coexist without proper handling...

ROS-20240923-08

Vulnerabilities in Mozilla Firefox, Firefox ESR and Thunderbird email client are related to flaws in the in access control. Exploitation of the vulnerability could allow an attacker acting remotely, spoofing attacks Vulnerability in the implementation of the HSTS HTTP Strict Transport Security...

CVE-2024-7207

...

CVE-2024-7207

...

EulerOS 2.0 SP10 : python-pip (EulerOS-SA-2024-2451)

According to the versions of the python-pip packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect...

pyload-ng vulnerable to RCE with js2py sandbox escape

Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately. Details js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the...

OESA-2024-2103 netty3 security update

Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server. Security Fixes: Netty before 4.1.42.Final mishandles whitespac...