Lucene search
K

120 matches found

OSV
OSV
added 2023/12/06 7:0 a.m.4 views

UBUNTU-CVE-2023-46218

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...

6.5CVSS6.6AI score0.01685EPSS
Exploits1References5
CNNVD
CNNVD
added 2023/12/06 12:0 a.m.2 views

curl security vulnerability

curl is a tool for transferring data from or to a server. A security vulnerability exists in curl versions 7.46.0 through 8.4.0, which stems from a mixed-case flaw in the curl function that allows a malicious HTTP server to set super cookies in curl and then pass back more information...

6.5CVSS6.7AI score0.01685EPSS
Exploits1References15
Hacker One
Hacker One
added 2023/10/16 6:28 p.m.96 views

curl: CVE-2023-46218: cookie mixed case PSL bypass

A vulnerability in libcurl was discovered that allows bypassing cookie domain restrictions through improper hostname normalization. This enables a malicious site to set supercookies readable by other sites under the same top level domain. The issue was caused by libcurl failing to convert the...

6.5CVSS6.2AI score0.01685EPSS
Exploits1
Amazon
Amazon
added 2023/08/25 12:0 a.m.19 views

Important: ecs-service-connect-agent

Issue Overview: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, a malicious client is able to construct credentials with permanent validity in some specific scenarios. This is caused by the some...

9.8CVSS6.9AI score0.01288EPSS
Exploits3
BDU FSTEC
BDU FSTEC
added 2023/07/28 12:0 a.m.6 views

The vulnerability of the Envoy proxy server, related to errors in processing mixed-case schemes in HTTP/2, allows attackers to gain access to protected data.

The vulnerability of the Envoy proxy server is related to errors in the processing of mixed-case schemes in HTTP/2. Exploiting this vulnerability can allow a remote attacker to gain access to protected data...

8.5CVSS6.7AI score0.00598EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2023/07/26 4:47 p.m.43 views

CVE-2023-35944

A flaw was found in Envoy that allows for mixed-case schemes in HTTP/2. However, some internal scheme checks in Envoy are case-sensitive, leading to incorrect handling of requests and responses with mixed case schemes. For example, if a request with a mixed scheme HTTP is sent to the OAuth2 filte...

8.2CVSS6.8AI score0.00598EPSS
Exploits1References3
Prion
Prion
added 2023/07/25 7:15 p.m.22 views

Design/Logic Flaw

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests wit...

5CVSS6.1AI score0.00598EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2023/07/25 12:0 a.m.4 views

Envoy 环境问题漏洞

Envoy is an open source distributed proxy server. Envoy suffers from an environmental issue vulnerability that stems from the ability to bypass certain requests, which could result in requests using a mixed-case scheme being denied...

8.2CVSS6.7AI score0.00598EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2023/07/25 12:0 a.m.4 views

PT-2023-3901 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.27.0 Envoy versions prior to 1.26.4 Envoy versions prior to 1.25.9 Envoy versions prior to 1.24.10 Envoy versions prior to 1.23.12 Description: The issue is related to the handling of mixed-case schemes in HTTP/2 by...

8.5CVSS6.8AI score0.00598EPSS
Exploits1References11
SUSE CVE
SUSE CVE
added 2023/02/15 5:20 a.m.7 views

SUSE CVE-2015-2935

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."...

5CVSS6.3AI score0.02451EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 4:26 a.m.2 views

SUSE CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

5.1CVSS8.5AI score0.0405EPSS
Exploits0References10
Cvelist
Cvelist
added 2019/03/07 10:0 p.m.29 views

CVE-2018-17418

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbiddentypes variable...

7.9AI score0.03069EPSS
Exploits1References1
CNVD
CNVD
added 2019/02/25 12:0 a.m.2 views

ZZCMS Cross-Site Scripting Vulnerability (CNVD-2019-05298)

ZZCMS is a content management system CMS by the ZZCMS team in China. A cross-site scripting vulnerability exists in the 2019 version of ZZCMS, which stems from the inc/stopsqlin.php file accepting mixed case strings, which can be exploited by remote attackers to inject arbitrary web script or HTM...

5.4CVSS6.2AI score0.00637EPSS
Exploits1References1
OSV
OSV
added 2019/02/24 5:29 p.m.4 views

CVE-2019-9078

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT...

5.4CVSS6.2AI score
Exploits0References1
Cvelist
Cvelist
added 2019/02/24 5:0 p.m.20 views

CVE-2019-9078

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT...

5.4AI score0.00637EPSS
Exploits1References1
CNVD
CNVD
added 2019/01/15 12:0 a.m.4 views

DedeCMS Arbitrary PHP Code Execution Vulnerability (CNVD-2019-04908)

Desdev DedeCMS Dream Weaving Content Management System is China's Zhuozhuo network Desdev Technology Co., Ltd. of a set of open-source set of content publishing, editing, management and retrieval is equal to one of the PHP Web site content management system CMS. A security vulnerability exists in...

8.8CVSS7.4AI score0.01929EPSS
Exploits0References1
OSV
OSV
added 2018/12/26 3:29 a.m.4 views

CVE-2018-20478

An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value...

7.5CVSS5.8AI score0.01208EPSS
Exploits1References1
CNVD
CNVD
added 2018/12/17 12:0 a.m.5 views

zzzphp cms arbitrary file deletion vulnerability

zzzphp cms is a PHP-based content management system CMS. An arbitrary file deletion vulnerability exists in the 'delfile' function of the /admin/save.php file in version 1.5.8 of zzzphp cms, which allows a remote attacker to delete files with the help of a mixed upper and lower case extension and...

7.5CVSS7.1AI score0.01388EPSS
Exploits1References1
OSV
OSV
added 2018/12/13 8:29 a.m.3 views

CVE-2018-20127

An issue was discovered in zzzphp cms 1.5.8. delfile in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because for example "php" is blocked but path=F:/1.phP. succeeds...

7.5CVSS5.9AI score0.01388EPSS
Exploits1References1
OSV
OSV
added 2018/11/28 5:29 p.m.2 views

ALPINE-CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

4.3CVSS8.9AI score0.0405EPSS
Exploits0References1
Rows per page
Query Builder