Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Owasp Modsecurity Core Rule Set Security Vulnerabilities

cve
cve

CVE-2018-16384

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {ab} where a is a special function name (such as "if") and b is the SQL statement to be executed.

7.5CVSS

8.2AI Score

0.001EPSS

2018-09-03 02:29 AM
28
4
cve
cve

CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.

9.8CVSS

9.6AI Score

0.003EPSS

2022-09-02 06:15 PM
23
7
cve
cve

CVE-2021-35368

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.

9.8CVSS

9.2AI Score

0.009EPSS

2021-11-05 06:15 PM
46
4
cve
cve

CVE-2022-39955

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" nam...

9.8CVSS

9AI Score

0.013EPSS

2022-09-20 07:15 AM
63
6
cve
cve

CVE-2022-39956

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and ins...

9.8CVSS

8.6AI Score

0.005EPSS

2022-09-20 07:15 AM
92
6
cve
cve

CVE-2022-39957

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web app...

7.5CVSS

8.3AI Score

0.002EPSS

2022-09-20 07:15 AM
54
8
cve
cve

CVE-2022-39958

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be...

7.5CVSS

8.3AI Score

0.003EPSS

2022-09-20 07:15 AM
61
4