Design/Logic Flaw

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408

CVE-2021-23408 affects com.graphhopper:graphhopper-web-bundle. The root cause is a prototype pollution in the URL parser that can add/modify properties on Object.prototype via constructor or proto payload. Affected versions: before 3.2, and 4.0-pre1 through before 4.0. Remediation: upgrade to Gra...

CVE-2021-23408 Prototype Pollution

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

graphhopper 安全漏洞

graphhopper is a software application. A fast and memory efficient Java routing engine, released under the Apache License 2.0. A security vulnerability exists in graphhoppe, which stems from the possibility that the URL parser could be tricked into adding or modifying properties of an Object. The...

PT-2021-15499 · Graphhopper · Graphhopper-Web-Bundle

Name of the Vulnerable Software and Affected Versions: com.graphhopper:graphhopper-web-bundle versions prior to 3.2 com.graphhopper:graphhopper-web-bundle versions 4.0-pre1 through 4.0 Description: The issue affects the URL parser, which could be tricked into adding or modifying properties of...

The vulnerability of the php_url_parse_ex() function in the PHP interpreter allows a hacker to perform an SSRF attack.

The vulnerability of the phpurlparseex function in the PHP interpreter is related to insufficient validation of incoming requests. Exploiting this vulnerability allows a malicious actor to execute an SSRF attack remotely...

Node.js: All versions prior to Node.js 6.15.0 8.14.0 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname they may be incorrect.

...

Hostname Validation Bypass

sanitize-html is vulnerable to hostname validation bypass. The package does not properly validate the iframe hostname in URL parser, allowing an IDNA Internationalized Domain Name iframe attack...

curl: Abusing URL Parsers by long schema name

Summary: There is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at A New Era Of SSRF Exploiting URL Parser. Firstly I found the familiar issue at old versions of curl, but explo...

CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

The vulnerability of the URL parser in the Node.js library allows a hacker to gain unauthorized access to protected data.

The vulnerability of Node.js’s URL parser lies in errors during the processing of HTTP packets. Exploiting this vulnerability allows a malicious actor, operating remotely, to gain unauthorized access to protected data through HTTP requests...

CVE-2019-5839

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

DEBIAN-CVE-2019-5839

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

CVE-2019-5839

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

Authentication flaw

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

CVE-2019-5839

CVE-2019-5839 affects Google Chrome (Chromium) prior to 75.0.3770.80. The issue is excessive data validation in the URL parser, enabling a remote attacker who lures a user to input a crafted URL to bypass website URL validation. Root cause: improper validation in the URL parsing logic. Impact, pe...

CVE-2019-5839

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

CVE-2019-5839

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL...

KLA11736 Multiple vulnerabilities in Opera

Multiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to bypass security restrictions, spoof user interface, cause denial of service, obtain sensitive information. Below is a complete list of vulnerabilities: 1. Policy enforcement in Extensions component...