Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting

The plugin does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup POST...

Fixed CVEs in httpd: CVE-2022-31813, CVE-2022-28615, CVE-2022-26377

CVE-2022-26377: modproxyajp: fix HTTP request smuggling - CVE-2022-28615: fix possible out-of-bounds read in apstrcmpmatch - CVE-2022-31813: modproxy: preserve original request headers so an upstream knows what the original request hostname was, and so send X-Forwarded- headers correctly...

This Week in Spring - May 31st, 2022

Hi, Spring fans! And welcome to another installment of This Week in Spring! Ive just returned from three wonderful weeks overseas and now, Im pleased as punch to convey, that Im home! And hopefully, COVID-19 free! Who knows what sort of nonsense I caught on the flight home, anyway. Some things, I...

GHSA-JMRX-5G74-6V2F Kubernetes client-go library logs may disclose credentials to unauthorized users

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components such as kube-apiserver prior to v1.16.0, which make use of basic or bearer token authentication, and run ...

Insertion of Sensitive Information into Log File

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components such as kube-apiserver prior to v1.16.0, which make use of basic or bearer token authentication, and run ...

Insertion of Sensitive Information into Log File

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components such as kube-apiserver prior to v1.16.0, which make use of basic or bearer token authentication, and run ...

CVE-2019-20800

In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokeehandlercgiaddenvpair in handlercgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers...

GHSA-5GG7-5WV8-4GCJ Undertow Request Smuggling vulnerability

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling...

GHSA-5CW4-GGX9-36VG Apache Tomcat Denial of Service via Malformed Request Headers

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and modjk load balancing are used, allows remote attackers to cause a denial of service application outage via a crafted request with invalid headers, related to temporary blocking of...

Apache Tomcat Denial of Service via Malformed Request Headers

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and modjk load balancing are used, allows remote attackers to cause a denial of service application outage via a crafted request with invalid headers, related to temporary blocking of...

CVE-2022-1165

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search...

PT-2021-24128 · Privoxy +2 · Privoxy +2

Name of the Vulnerable Software and Affected Versions: Privoxy affected versions not specified Description: A vulnerability was found in Privoxy, which was fixed by freeing header memory when failing to get the request destination in the process encrypted request headers function. Recommendations...

Privoxy 输入验证错误漏洞

Privoxy is a proxy server from the Privoxy team in the USA that does not cache web pages and comes with its own filtering features. It has advanced filtering features to enhance privacy, modify web data and HTTP headers, control access and remove advertisements and other annoying Internet...

Privoxy -- Multiple vulnerabilities (memory leak, XSS)

Privoxy reports: cgierrornotemplate: Encode the template name to prevent XSS cross-site scripting when Privoxy is configured to servce the user-manual itself. Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov geturlspecparam: Free memory of compiled pattern spec...

CVE-2021-20844

Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive...

Input validation

Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive...

Oracle Linux 7 / 8 : olcne (ELSA-2021-9525)

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9525 advisory. - Update Istio to 1.9.8 to address CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, CVE-2021-32780 & CVE-2021-32781 - Bump release, addresses the...

Apache Tomcat 6.x < 6.0.36 Multiple Vulnerabilities (Oct 2012) - Linux

Apache Tomcat is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

PYSEC-2021-364

Scrapy-splash is a library which provides Scrapy and JavaScript integration. In affected versions users who use HttpAuthMiddleware i.e. the httpuser and httppass spider attributes for Splash authentication will have any non-Splash request expose your credentials to the request target. This includ...

OPENSUSE-SU-2021:1806-1 Security update for python-httplib2

This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 bsc1182053. - CVE-2021-21240: Fixed regular expression denial of service via malicious header bsc1182053. - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body...