2135 matches found
CVE-2023-26044
Removed by vendor...
CVE-2023-26044 ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impa...
ReactPHP's HTTP server continues parsing unused multipart parts after reaching input field and file upload limits
Summary Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the...
Jenkins Reverse Proxy Auth Plugin cross-site request forgery vulnerability
Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
org.jenkins-ci.plugins:reverse-proxy-auth-plugin (>=1.3.3 <=1.6.3) potentially affected by CVE-2023-32978 via org.jenkins-ci.plugins:ldap (=1.8)
org.jenkins-ci.plugins:ldap MAVEN version =1.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:ldap and may be impacted: - org.jenkins-ci.plugins:reverse-proxy-auth-plugin =1.3.3, =1.6.3 Source cves: CVE-2023-32978 Source advisor...
GHSA-PMMR-R9V2-59P8 Jenkins Reverse Proxy Auth Plugin cross-site request forgery vulnerability
Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
CVE-2023-32987
A cross-site request forgery CSRF vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
Cross site request forgery (csrf)
A cross-site request forgery CSRF vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
CVE-2023-32987
A cross-site request forgery CSRF vulnerability in Jenkins Reverse Proxy Auth Plugin 1.7.4 and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
CVE-2023-32987
The CVE affects Jenkins Reverse Proxy Auth Plugin (versions ≤ 1.7.4). A CSRF flaw allows an attacker to connect to an attacker-specified LDAP server using attacker-specified credentials. Impact is high on confidentiality, integrity, and availability (CVE-2023-32987, CVSS v3.1: 8.8). The issue ari...
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality...
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...
PT-2023-3358 · Jenkins · Jenkins Reverse Proxy Auth Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Reverse Proxy Auth Plugin versions 1.7.4 and earlier Description: The issue is related to a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using...
Jenkins Plugin Reverse Proxy Auth 跨站请求伪造漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages
A new phishing-as-a-service PhaaS or PaaS platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks. "Greatness, for now, is only focused on Microsof...
Sql injection
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens PATs generate unrestricted session cookies. This may lead to a bypass of other access...
CVE-2023-31139 DHIS2 Core unrestricted session cookies with Personal Access Tokens
DHIS2 Core contains the service layer and Web API for DHIS2, an information system for data capture. Starting in the 2.37 branch and prior to versions 2.37.9.1, 2.38.3.1, and 2.39.1.2, Personal Access Tokens PATs generate unrestricted session cookies. This may lead to a bypass of other access...