5 matches found
CVE-2023-52430
The CVE-2023-52430 entry concerns the caddy-security plugin for Caddy (version 1.1.20). A reflected Cross-Site Scripting (XSS) vulnerability exists in GET requests where the URL payload begins with /admin or /settings/mfa/delete/. Root cause: insufficient input sanitization in handling those endp...
CVE-2024-21492
CVE-2024-21492 affects github.com/greenpau/caddy-security. All versions are reported vulnerable to Insufficient Session Expiration due to improper user session invalidation after Sign Out, allowing sessions to remain active after requests to /logout and /oauth2/google/logout and enabling actions ...
CVE-2024-21498
CVE-2024-21498 : SSRF in the Go package github.com/greenpau/caddy-security across all versions, caused by manipulation of the X-Forwarded-Host header. Impact: attacker may access sensitive data or reach internal services. Remediation status: no concrete fix version is identified in the provided d...
CVE-2024-21496
CVE-2024-21496 affects all versions of the Go package github.com/greenpau/caddy-security. The vulnerability is a Cross-site Scripting (XSS) flaw via the Referer header caused by incomplete input sanitization. While some characters (e.g., &, , ", ') are escaped, the check does not cover attacks us...
CVE-2024-21500
The CVE-2024-21500 entry concerns the GitHub package github.com/greenpau/caddy-security, with reports across multiple sources (Red Hat, OSV, GHSA, PT-Security, etc.) that all versions are vulnerable to Improper Restriction of Excessive Authentication Attempts via 2FA. The core issue is a bypass o...