Lucene search
K
EmbedthisGoahead

17 matches found

CVE
CVE
added 2017/12/12 7:0 p.m.1097 views

CVE-2017-17562

Embedthis GoAhead before 3.6.5 allows remote code execution when CGI is enabled and a CGI program is dynamically linked. The root cause is the initialization of the CGI environment from untrusted HTTP request parameters in cgi.c, enabling abuse via LD_PRELOAD and similar payloads posted to /proc/...

8.1CVSS8.2AI score0.96327EPSS
In wildWeb
CVE
CVE
added 2019/09/20 6:24 p.m.539 views

CVE-2019-16645

CVE-2019-16645 affects Embedthis GoAhead 2.5.0 (and potentially similar versions). The issue is an HTTP Host header-based host name leakage in certain pages (e.g., goform/login, config/log_off_page.htm) that causes links to be constructed using an attacker-controlled Host header, enabling phishin...

8.6CVSS8.4AI score0.08183EPSS
CVE
CVE
added 2017/03/13 6:14 a.m.329 views

CVE-2017-5674

CVE-2017-5674 affects a GoAhead-based web server used in Foscam, VStarcam, and several white-label IP cameras. The vulnerability arises from crafting a malformed HTTP request (GET system.ini HTTP/1.1 with no leading slash) that discloses the device’s configuration file containing login credential...

9.8CVSS9.3AI score0.21575EPSS
CVE
CVE
added 2021/10/14 5:8 a.m.133 views

CVE-2021-42342

CVE-2021-42342 affects EmbedThis GoAhead Web Server (GoAhead) prior to 5.1.5. The issue is in the file upload filter: user form variables can reach CGI scripts without the CGI_ prefix, allowing untrusted environment variables to be passed and enabling remote code execution. Affected component: fi...

9.8CVSS9.3AI score0.5946EPSS
CVE
CVE
added 2019/11/22 6:46 p.m.125 views

CVE-2019-19240

The CVE-2019-19240 entry concerns Embedthis GoAhead before 5.0.1. Affected component: GoAhead WebsRedirect, which uses a fixed-size host buffer. Under certain redirected HTTP requests with a large Host header, the copy of the Host header can overflow, leaving the buffer uninitialized and potentia...

5.3CVSS5.3AI score0.01541EPSS
CVE
CVE
added 2019/12/03 9:52 p.m.124 views

CVE-2019-5096

CVE-2019-5096 is a use-after-free vulnerability in the GoAhead web server (Embedthis/Rockwell context) triggered by processing multipart/form-data. A specially crafted HTTP request (unauthenticated via GET/POST) can corrupt heap and lead to remote code execution. Affected GoAhead versions include...

9.8CVSS9.6AI score0.66982EPSS
CVE
CVE
added 2020/07/23 12:32 p.m.104 views

CVE-2020-15688

Vulnerability context: GoAhead Web Server before 5.1.2 is susceptible to a Digest authentication replay attack. An unauthenticated remote attacker can bypass authentication via capture-replay if TLS is not protecting the channel. The issue is tied to the Digest authentication implementation, not ...

8.8CVSS8.8AI score0.04039EPSS
CVE
CVE
added 2019/12/03 9:49 p.m.92 views

CVE-2019-5097

The CVE-2019-5097 entry documents a denial-of-service in the GoAhead web server’s handling of multipart/form-data. A specially crafted, unauthenticated HTTP request (GET or POST), targeting GoAhead versions v5.0.1, v4.1.1, and v3.6.5, can cause an infinite loop in the process, potentially impacti...

7.5CVSS7.5AI score0.45063EPSS
CVE
CVE
added 2017/03/13 6:14 a.m.90 views

CVE-2017-5675

The CVE-2017-5675 issue affects a custom GoAhead web server used in Foscam, Vstarcam, and multiple white-label IP cameras. The mail.htm page’s mail-sending form allows an attacker to inject a command into the receiver1 field, which is then executed with root privileges. The vulnerability is trigg...

9CVSS8.6AI score0.01713EPSS
CVE
CVE
added 2019/06/14 1:6 p.m.84 views

CVE-2019-12822

CVE-2019-12822 affects Embedthis GoAhead, specifically http.c, where a header parsing vulnerability in GoAhead before 4.1.1 and 5.x before 5.0.1 leads to a memory assertion, out-of-bounds memory reference, and potential DoS (demonstrated by a colon on a line by itself). Connected documents corrob...

7.5CVSS7.5AI score0.08848EPSS
CVE
CVE
added 2022/08/08 6:26 p.m.75 views

CVE-2021-41615

The CVE-2021-41615 entry relates to GoAhead WebServer 2.1.8 (websda.c) having insufficient nonce entropy because nonce calculation uses a hardcoded value (onceuponatimeinparadise) that does not comply with RFC 7616/2617 secret-data guidelines. The vulnerability is documented with a high CVSS v3.1...

9.8CVSS9.4AI score0.01067EPSS
CVE
CVE
added 2015/03/31 2:0 p.m.74 views

CVE-2014-9707

CVE-2014-9707 affects EmbedThis GoAhead Web Server 3.0.0–3.4.1. The vulnerability is in websNormalizeUriPath, which mishandles URI segments starting with a dot, enabling remote attackers to perform directory traversal and trigger a heap-based buffer overflow, potentially leading to crash or arbit...

7.5CVSS8.4AI score0.28417EPSS
CVE
CVE
added 2022/01/25 7:11 p.m.69 views

CVE-2021-43298

CVE-2021-43298 corresponds to a vulnerability in Embedthis GoAhead web server where the password check for HTTP Basic authentication does not use constant-time comparison and lacks rate-limiting, enabling an unauthenticated attacker to brute-force the password by timing responses. Connected sourc...

9.8CVSS9.6AI score0.02256EPSS
CVE
CVE
added 2018/08/18 12:0 a.m.63 views

CVE-2018-15505

CVE-2018-15505 describes a NULL pointer dereference inEmbedthis GoAhead (before 4.0.1) and Appweb (before 7.0.2) triggered by an HTTP POST with a specially crafted Host header, notably demonstrated by a missing trailing ‘]’ in IPv6 addresses, causing a denial of service. Affected products/version...

7.5CVSS7.5AI score0.02227EPSS
CVE
CVE
added 2018/08/18 12:0 a.m.60 views

CVE-2018-15504

CVE-2018-15504 affects Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The issue is a NULL pointer dereference caused by mishandling HTTP time-related request fields, demonstrated by If-Modified-Since or If-Unmodified-Since with a month value >11. This can lead to denial of service. Th...

7.5CVSS7.5AI score0.02766EPSS
CVE
CVE
added 2018/01/03 8:0 p.m.55 views

CVE-2017-1000471

CVE-2017-1000471 affects EmbedThis GoAhead Webserver 4.0.0. Root cause: NULL pointer dereference in the CGI handler, leading to memory corruption or denial of service. Documents do not provide patch/version remediation details or explicit exploitation status.

9.8CVSS9.3AI score0.08605EPSS
CVE
CVE
added 2017/09/05 7:0 a.m.49 views

CVE-2017-14149

GoAhead 3.4.0–3.6.5 is affected by a NULL pointer dereference in the websDecodeUrl function of http.c when handling a POST / HTTP/1.1 request, leading to a crash. The issue is confirmed across CVE records and vendor/security pages in the connected documents. Root cause: null pointer dereference i...

7.5CVSS7.5AI score0.05794EPSS