Lucene search
K

64 matches found

Prion
Prion
added 2024/01/04 9:15 p.m.13 views

Code injection

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5CVSS7AI score0.0129EPSS
Exploits1References8Affected Software1
UbuntuCve
UbuntuCve
added 2024/01/04 9:15 p.m.23 views

CVE-2024-22049

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.3CVSS6.1AI score0.0129EPSS
Exploits1References7
OSV
OSV
added 2024/01/04 9:15 p.m.1 views

UBUNTU-CVE-2024-22049

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.3CVSS5.8AI score0.0129EPSS
Exploits1References7
CVE
CVE
added 2024/01/04 8:19 p.m.79 views

CVE-2024-22049

CVE-2024-22049 affects the Ruby library ruby-httparty (pre-0.21.0) and allows a remote, unauthenticated attacker to tamper multipart/form-data uploads by supplying a crafted filename parameter, resulting in attacker-controlled filenames being written. This is described as an assumed-immutable web...

5.3CVSS5AI score0.0129EPSS
Exploits1References9Affected Software2
Vulnrichment
Vulnrichment
added 2024/01/04 8:19 p.m.3 views

CVE-2024-22049 httparty Multipart/Form-Data Request Tampering Vulnerability

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.2AI score0.0129EPSS
Exploits1References8
OSV
OSV
added 2024/01/04 8:19 p.m.21 views

CVE-2024-22049 httparty Multipart/Form-Data Request Tampering Vulnerability

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.3CVSS6.2AI score0.0129EPSS
Exploits1References12
Cvelist
Cvelist
added 2024/01/04 8:19 p.m.39 views

CVE-2024-22049 httparty Multipart/Form-Data Request Tampering Vulnerability

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.4AI score0.0129EPSS
Exploits1References8
Debian CVE
Debian CVE
added 2024/01/04 8:19 p.m.19 views

CVE-2024-22049

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

5.3CVSS5.2AI score0.0129EPSS
Exploits1
CNNVD
CNNVD
added 2024/01/04 12:0 a.m.4 views

httparty Security Vulnerabilities

httparty is a library by the individual developer John Nunemaker. A security vulnerability exists in httparty versions prior to 0.21.0, which stems from a lack of escaping of the Content-Disposition filename in httparty, leading to request tampering...

5.3CVSS6.8AI score0.0129EPSS
Exploits1References9
Veracode
Veracode
added 2023/01/10 6:42 a.m.10 views

Request Tampering

httparty is vulnerable to Request Tampering. A remote attacker is able to rewrite the name field according to the crafted file name, impersonating another field and rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename due to the lack of escapi...

2.4AI score
Exploits0
Snyk
Snyk
added 2023/01/03 1:36 p.m.3 views

External Control of Assumed-Immutable Web Parameter

Overview Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to improper escape of the " character in the generatemultipart function, which allows injecting malicious content to the filename parameter via the Content-Disposition header. PoC...

6.5CVSS7AI score0.0129EPSS
Exploits1References2
OSV
OSV
added 2023/01/03 1:36 p.m.34 views

GHSA-5PQ7-52MG-HR42 httparty has multipart/form-data request tampering vulnerability

Impact I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty. httparty/lib/httparty/request body.rb def generatemultipart...

6.5CVSS5AI score0.0129EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2023/01/03 1:36 p.m.150 views

httparty has multipart/form-data request tampering vulnerability

Impact I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty. httparty/lib/httparty/request body.rb def generatemultipart...

5.3CVSS5AI score0.0129EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2023/01/03 12:0 a.m.4 views

PT-2023-32945 · Httparty +3 · Httparty +3

Name of the Vulnerable Software and Affected Versions: httparty versions prior to 0.21.0 Description: A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads, which could result in attacker-controlled filenames being written. This issue is...

5.3CVSS6.9AI score0.0129EPSS
Exploits1References30
RubySec
RubySec
added 2023/01/03 12:0 a.m.15 views

httparty has multipart/form-data request tampering vulnerability

HTTP multipart/form-data request tampering vulnerability in httparty 0.20.0, due to lack of proper escaping of double quotes within the filename attribute of the Content-Disposition header. If the Content-Disposition header is set to "form-data" and contains the "filename" attribute, and the...

5.3CVSS6.9AI score0.0129EPSS
Exploits1References1Affected Software1
GithubExploit
GithubExploit
added 2021/12/09 9:48 a.m.747 views

Exploit for Path Traversal in Grafana

CVE-2021-43798 !Alt texthttps://github.com/z3n70/CVE-...

7.5CVSS7.9AI score0.88849EPSS
Exploits44
OSV
OSV
added 2017/10/24 6:33 p.m.75 views

GHSA-MGX3-27HR-MFGP HTTParty does not restrict casts of string values

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for YAML type...

7.5CVSS7.7AI score0.0441EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2017/10/24 6:33 p.m.85 views

HTTParty does not restrict casts of string values

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for YAML type...

7.5CVSS5.2AI score0.0441EPSS
Exploits1References7Affected Software1
NVD
NVD
added 2013/04/09 8:55 p.m.36 views

CVE-2013-1801

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for YAML type...

7.5CVSS7.1AI score0.0441EPSS
Exploits1References4
Prion
Prion
added 2013/04/09 8:55 p.m.46 views

Type confusion

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for YAML type...

7.5CVSS7.7AI score0.99449EPSS
Exploits22References4Affected Software1
Rows per page
Query Builder