355 matches found
MpOperationLogs <= 1.0.1 - Unauthenticated Stored XSS
Description The plugin is vulnerable to Unauthenticated Stored Cross-Site Scripting via the IP Request Headers...
Cross site scripting
The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...
GHSA-WQQ4-5WPV-MX2G Undici's cookie header not cleared on cross-origin redirect in fetch
Impact Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the...
CVE-2023-45143
A flaw was found in the Undici node package due to the occurrence of Cross-origin requests, possibly leading to a cookie header leakage. By default, cookie headers are forbidden request headers, and they must be enabled. This flaw allows a malicious user to access this leaked cookie if they have...
http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server...
CVE-2023-26148
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
Crlf injection
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
CVE-2023-26148
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
PT-2023-20526 · Unknown · Ithewei/Libhv
Name of the Vulnerable Software and Affected Versions: ithewei/libhv versions all Description: The issue affects the ithewei/libhv package, where untrusted user input used to set request headers can lead to CRLF Injection. An attacker can inject additional headers into the request by adding...
reactor-netty-http: Log request headers in some cases of invalid HTTP requests
A flaw was found in the Reactor Netty HTTP Server, which may log request headers in some cases of invalid HTTP requests. This could allow an attacker to access privileged information when WARN level logging is enabled...
CVE-2023-40518
LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers...
Leak Of Webhook Secret Token
gitlab is vulnerable to Leak Of Webhook Secret Token. The vulnerability exists because the project maintainer could leak a webhook secret token by changing the webhook URL to an endpoint, allowing them to capture request headers...
CVE-2023-36921
SAP Solution Manager Diagnostics agent - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availabilit...
CVE-2023-26138
All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
Crlf injection
All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
CVE-2023-26138
All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...
GHSA-V3R5-PJPM-MWGQ Async HTTP Client has CRLF Injection vulnerability in HTTP request headers
Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...
Async HTTP Client has CRLF Injection vulnerability in HTTP request headers
Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...
Async HTTP Client has CRLF Injection vulnerability in HTTP request headers
Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted...
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent. Remediation There i...