13 matches found
CVE-2023-38285
CVE-2023-38285 affects Trustwave ModSecurity 3.x prior to 3.0.10. The root cause is Inefficient Algorithmic Complexity in certain input handling, leading to potential denial of service with network-based exploitation. The CVSS indicates network attack vector, low attack complexity, and high avail...
CVE-2023-28882
CVE-2023-28882 affects Trustwave ModSecurity 3.0.5–3.0.8; before 3.0.9, certain inputs can trigger a segfault in the Transaction class, causing worker crashes and server unresponsiveness (DoS) in affected configurations. The issue is mitigated by upgrading to ModSecurity 3.0.9 or applying the ven...
CVE-2022-48279
CVE-2022-48279 affects ModSecurity; HTTP multipart requests could bypass the Web Application Firewall in versions before 2.9.6 and in 3.x before 3.0.8. Connected sources show patched releases (2.9.6+, 3.0.8+) and downstream updates (Debian, Fedora, Amazon Linux, etc.). No exploit details are prov...
CVE-2021-42717
CVE-2021-42717 affects ModSecurity 3.x up to 3.0.5 (and 2.x up to 2.9.4). The flaw: excessive nesting of JSON objects causes severe resource exhaustion (DoS), with small-ish requests (e.g., ~300 KB) able to tie up workers and consume CPU. Mitigations documented across multiple sources include upg...
CVE-2025-48866
ModSecurity (mod_security) WAF engine for Apache/Nginx/IIS is affected by CVE-2025-48866. In ModSecurity versions prior to 2.9.10, the sanitiseArg (and alias sanitizeArg) action can be abused to add an excessive number of arguments, leading to a denial of service. Astra Linux advisories confirm t...
CVE-2020-15598
CVE-2020-15598 affects Trustwave ModSecurity 3.x up to 3.0.4, where denial of service can be triggered by a request that exploits how ModSecurity handles certain regular expressions. The description notes no default configuration issue and that an attacker would need to know the presence and natu...
CVE-2019-19886
The CVE affects Trustwave ModSecurity v3 (libmodsecurity), specifically versions 3.0.0–3.0.3, where a flaw in Transaction::addRequestHeader in transaction.cc can cause denial of service when crafted requests are sent rapidly in large volumes. Reported impact is server slowdown or unavailability. ...
CVE-2024-1019
CVE-2024-1019 affects ModSecurity/libModSecurity versions 3.0.0 through 3.0.11. The root cause is that request URLs are percent-decoded before separating the path and query string, causing an impedance mismatch with RFC-compliant back-ends and allowing an attacker to hide a payload in the URL pat...
CVE-2025-54571
CVE-2025-54571 affects ModSecurity (WAF engine for Apache/IIS/Nginx). In versions 2.9.11 and earlier, an attacker could override the HTTP response Content-Type, enabling issues such as XSS and arbitrary script-source disclosure. The vulnerability is fixed in ModSecurity 2.9.12. Remediation: upgra...
CVE-2018-13065
CVE-2018-13065 affects ModSecurity 3.0.0 with a Cross-Site Scripting issue: XSS via an IMG onError attribute. The core detail across connected sources is that an attacker could inject script through an onError on an IMG tag; some sources note a third party disputes applicability without a Core Ru...
CVE-2019-25043
CVE-2019-25043 affects ModSecurity 3.x prior to 3.0.4. The vulnerability arises from mishandling of key-value pair parsing, demonstrated by a string index out of range error and a worker-process crash triggered by a Cookie: =abc header. The impact is a crash/restart of workers, with no documented...
CVE-2026-30923
CVE-2026-30923 affects libModSecurity3 (ModSecurity v3) where a rule using the t:hexDecode transformation can trigger a segmentation fault when inspecting a single-character query string, causing worker process crashes and denial of service. All versions prior to 3.0.15 are affected; the issue is...
CVE-2026-42268
ModSecurity (libmodsecurity3) versions 3.0.0–3.0.14 expose an unhandled std::out_of_range exception caused by an unsigned integer underflow when using the operators @verifySSN, @verifyCPF, or @verifySVNR. The vulnerability affects the WAF engine for Apache, IIS, and Nginx and is fixed in 3.0.15. ...