17 matches found
CVE-2017-17562
Embedthis GoAhead before 3.6.5 allows remote code execution when CGI is enabled and a CGI program is dynamically linked. The root cause is the initialization of the CGI environment from untrusted HTTP request parameters in cgi.c, enabling abuse via LD_PRELOAD and similar payloads posted to /proc/...
CVE-2019-16645
CVE-2019-16645 affects Embedthis GoAhead 2.5.0 (and potentially similar versions). The issue is an HTTP Host header-based host name leakage in certain pages (e.g., goform/login, config/log_off_page.htm) that causes links to be constructed using an attacker-controlled Host header, enabling phishin...
CVE-2017-5674
CVE-2017-5674 affects a GoAhead-based web server used in Foscam, VStarcam, and several white-label IP cameras. The vulnerability arises from crafting a malformed HTTP request (GET system.ini HTTP/1.1 with no leading slash) that discloses the device’s configuration file containing login credential...
CVE-2021-42342
CVE-2021-42342 affects EmbedThis GoAhead Web Server (GoAhead) prior to 5.1.5. The issue is in the file upload filter: user form variables can reach CGI scripts without the CGI_ prefix, allowing untrusted environment variables to be passed and enabling remote code execution. Affected component: fi...
CVE-2019-19240
The CVE-2019-19240 entry concerns Embedthis GoAhead before 5.0.1. Affected component: GoAhead WebsRedirect, which uses a fixed-size host buffer. Under certain redirected HTTP requests with a large Host header, the copy of the Host header can overflow, leaving the buffer uninitialized and potentia...
CVE-2019-5096
CVE-2019-5096 is a use-after-free vulnerability in the GoAhead web server (Embedthis/Rockwell context) triggered by processing multipart/form-data. A specially crafted HTTP request (unauthenticated via GET/POST) can corrupt heap and lead to remote code execution. Affected GoAhead versions include...
CVE-2020-15688
Vulnerability context: GoAhead Web Server before 5.1.2 is susceptible to a Digest authentication replay attack. An unauthenticated remote attacker can bypass authentication via capture-replay if TLS is not protecting the channel. The issue is tied to the Digest authentication implementation, not ...
CVE-2019-5097
The CVE-2019-5097 entry documents a denial-of-service in the GoAhead web server’s handling of multipart/form-data. A specially crafted, unauthenticated HTTP request (GET or POST), targeting GoAhead versions v5.0.1, v4.1.1, and v3.6.5, can cause an infinite loop in the process, potentially impacti...
CVE-2017-5675
The CVE-2017-5675 issue affects a custom GoAhead web server used in Foscam, Vstarcam, and multiple white-label IP cameras. The mail.htm page’s mail-sending form allows an attacker to inject a command into the receiver1 field, which is then executed with root privileges. The vulnerability is trigg...
CVE-2019-12822
CVE-2019-12822 affects Embedthis GoAhead, specifically http.c, where a header parsing vulnerability in GoAhead before 4.1.1 and 5.x before 5.0.1 leads to a memory assertion, out-of-bounds memory reference, and potential DoS (demonstrated by a colon on a line by itself). Connected documents corrob...
CVE-2021-41615
The CVE-2021-41615 entry relates to GoAhead WebServer 2.1.8 (websda.c) having insufficient nonce entropy because nonce calculation uses a hardcoded value (onceuponatimeinparadise) that does not comply with RFC 7616/2617 secret-data guidelines. The vulnerability is documented with a high CVSS v3.1...
CVE-2014-9707
CVE-2014-9707 affects EmbedThis GoAhead Web Server 3.0.0–3.4.1. The vulnerability is in websNormalizeUriPath, which mishandles URI segments starting with a dot, enabling remote attackers to perform directory traversal and trigger a heap-based buffer overflow, potentially leading to crash or arbit...
CVE-2021-43298
CVE-2021-43298 corresponds to a vulnerability in Embedthis GoAhead web server where the password check for HTTP Basic authentication does not use constant-time comparison and lacks rate-limiting, enabling an unauthenticated attacker to brute-force the password by timing responses. Connected sourc...
CVE-2018-15505
CVE-2018-15505 describes a NULL pointer dereference inEmbedthis GoAhead (before 4.0.1) and Appweb (before 7.0.2) triggered by an HTTP POST with a specially crafted Host header, notably demonstrated by a missing trailing ‘]’ in IPv6 addresses, causing a denial of service. Affected products/version...
CVE-2018-15504
CVE-2018-15504 affects Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The issue is a NULL pointer dereference caused by mishandling HTTP time-related request fields, demonstrated by If-Modified-Since or If-Unmodified-Since with a month value >11. This can lead to denial of service. Th...
CVE-2017-1000471
CVE-2017-1000471 affects EmbedThis GoAhead Webserver 4.0.0. Root cause: NULL pointer dereference in the CGI handler, leading to memory corruption or denial of service. Documents do not provide patch/version remediation details or explicit exploitation status.
CVE-2017-14149
GoAhead 3.4.0–3.6.5 is affected by a NULL pointer dereference in the websDecodeUrl function of http.c when handling a POST / HTTP/1.1 request, leading to a crash. The issue is confirmed across CVE records and vendor/security pages in the connected documents. Root cause: null pointer dereference i...