7 matches found
MiracleLinux 7 : mod_auth_mellon-0.14.0-8.el7 (AXSA:2020-4541:01)
The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2020-4541:01 advisory. modauthmellon: Open Redirect via the login?ReturnTo= substring which could facilitate information theft CVE-2019-13038 Tenable has extracted the preceding...
MiracleLinux 8 : mod_auth_mellon-0.14.0-12.el8.1 (AXSA:2022-3531:01)
The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3531:01 advisory. modauthmellon: Open Redirect vulnerability in logout URLs CVE-2021-3639 Tenable has extracted the preceding description block directly from the MiracleLinux...
mod_auth_mellon: Open Redirect vulnerability in logout URLs
A flaw was found in modauthmellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threa...
USN-4597-1 libapache2-mod-auth-mellon vulnerabilities
François Kooman discovered that modauthmellon incorrectly handled cookies. An attacker could possibly use this issue to cause a Cross-Site Session Transfer attack. CVE-2017-6807 It was discovered that modauthmellon incorrectly handled certain requests. An attacker could possibly use this issue to...
PT-2019-5693 · Apache +3 · Mod Auth Mellon +4
Name of the Vulnerable Software and Affected Versions: mod auth mellon versions 0.14.2 and earlier Description: The issue is related to an Open Redirect via the login?ReturnTo= substring. This can be exploited by omitting the // after http: in the target URL, allowing a remote attacker to redirec...
UBUNTU-CVE-2019-3878
A vulnerability was found in modauthmellon before v0.14.2. If Apache is configured as a reverse proxy and modauthmellon is configured to only let through authenticated users with the require valid-user directive, adding special HTTP headers that are normally used to start the special SAML ECP...
DEBIAN-CVE-2017-6807
modauthmellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site...