jetty-http: improver hostname input handling

A flaw was found in Eclipse Jetty. When parsing the authority segment of an HTTP scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This issue can lead to failures in a Proxy scenario...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in GitLab that stems from a search timeout tha...

UBUNTU-CVE-2023-1821

Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially hide the contents of the Omnibox URL bar via a crafted HTML page. Chromium security severity: Low...

HAProxy vulnerable to HTTP request/response smuggling

Overview HAProxy's HTTP/3 implementation fails to block a malformed HTTP header field name, and when deployed in front of a server that incorrectly process this malformed header, it may be used to conduct an HTTP request/response smuggling attack CWE-444. Yuki Mogi of FFRI Security, Inc. reported...

Virames Vira-Investing 安全漏洞

Virames Vira-Investing is an application from Virames, Inc. A security vulnerability exists in Virames Vira-Investing prior to version 1.0.84.86, which stems from an improper neutralization of HTML tags in Vira-Investing web pages...

undertow: Server identity in https connection is not checked by the undertow client

A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step that should at least be performed by default in HTTPS and in http/2...

VulnCheck KEV: CVE-2023-32435

Apple iOS, iPadOS, macOS, and Safari WebKit contain a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products...

The vulnerability of the Google Chrome browser’s Navigation function, which allows a hacker to bypass security restrictions

The vulnerability of Google Chrome’s Navigation function is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to bypass security restrictions using a specially created HTML page...

The vulnerability of the Metrics component in the Google Chrome browser allows a perpetrator to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the Metrics component in Google Chrome browser relates to the issue of operations going beyond the buffer in memory when processing HTML content. Exploiting this vulnerability allows an attacker to compromise the confidentiality, integrity, and accessibility of the protected...

The vulnerability of the Mozilla Firefox browser, related to the execution of operations beyond the buffer in memory, allows an attacker to execute arbitrary code.

The vulnerability of the Mozilla Firefox browser is related to the execution of operations beyond the buffer boundaries in memory when processing HTML content. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

The vulnerability of the HTTP-protocol implementation (http.sys) in Windows operating systems allows a hacker to execute arbitrary code.

The vulnerability of the HTTP-protocol implementation http.sys in Windows operating systems exists due to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code via a specially crafted HTTP/3 request from a remote location...

The vulnerability of Google Chrome and Microsoft Edge browsers’ Intents function allows attackers to compromise the integrity of protected information.

The vulnerability of Intents functions in Google Chrome and Microsoft Edge is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to compromise the integrity of protected information through a specially created HTML page...

golang: net/http: handle server errors after sending GOAWAY

A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown...

CVE-2023-23392

HTTP Protocol Stack Remote Code Execution Vulnerability...

PT-2023-1868 · Microsoft · Windows

Name of the Vulnerable Software and Affected Versions: Windows versions prior to the fixed version Description: The issue is related to insufficient input validation in the HTTP protocol stack implementation, specifically in the http.sys component of Windows operating systems. This can be exploit...

SUSE CVE-2023-1225

Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 111.0.5563.64 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

SUSE CVE-2023-1228

Insufficient policy enforcement in Intents in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

DEBIAN-CVE-2023-1234

Inappropriate implementation in Intents in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to perform domain spoofing via a crafted HTML page. Chromium security severity: Low...

DEBIAN-CVE-2023-1236

Inappropriate implementation in Internals in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to spoof the origin of an iframe via a crafted HTML page. Chromium security severity: Low...

DEBIAN-CVE-2023-1217

Stack buffer overflow in Crash reporting in Google Chrome on Windows prior to 111.0.5563.64 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: High...