Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
TrustwaveModsecurity

14 matches found

CVE
CVEadded 2013/07/15 3:0 p.m.193 views

CVE-2013-2765

CVE-2013-2765 affects the ModSecurity module for the Apache HTTP Server (before 2.7.4). The vulnerability allows remote attackers to cause a denial of service via a POST request with a large body and a crafted Content-Type header, resulting in a NULL pointer dereference, process crash, and disk c...

5CVSS6.5AI score0.13719EPSS
CVE
CVEadded 2023/01/20 12:0 a.m.145 views

CVE-2023-24021

CVE-2023-24021 affects ModSecurity’s handling of file uploads via the FILES_TMP_CONTENT collection, due to incorrect handling of '\0' bytes. The vulnerability can enable Web Application Firewall bypasses and buffer over-reads on the WAF when rules read FILES_TMP_CONTENT. Affected product: ModSecu...

7.5CVSS7.5AI score0.00906EPSS
CVE
CVEadded 2023/01/20 12:0 a.m.129 views

CVE-2022-48279

CVE-2022-48279 affects ModSecurity; HTTP multipart requests could bypass the Web Application Firewall in versions before 2.9.6 and in 3.x before 3.0.8. Connected sources show patched releases (2.9.6+, 3.0.8+) and downstream updates (Debian, Fedora, Amazon Linux, etc.). No exploit details are prov...

7.5CVSS8.4AI score0.01169EPSS
CVE
CVEadded 2025/05/21 10:8 p.m.126 views

CVE-2025-47947

CVE-2025-47947 affects ModSecurity up to v2.9.8, where a DoS can occur when the payload is application/json and a sanitiseMatchedBytes action is present. A patch was developed (pull request 3389) and is expected in v2.9.9; no public workarounds are listed. Related advisories confirm denial-of-ser...

7.5CVSS6.8AI score0.00559EPSS
CVE
CVEadded 2021/12/07 9:8 p.m.124 views

CVE-2021-42717

CVE-2021-42717 affects ModSecurity 3.x up to 3.0.5 (and 2.x up to 2.9.4). The flaw: excessive nesting of JSON objects causes severe resource exhaustion (DoS), with small-ish requests (e.g., ~300 KB) able to tie up workers and consume CPU. Mitigations documented across multiple sources include upg...

7.5CVSS7.3AI score0.03206EPSS
CVE
CVEadded 2014/04/15 10:0 a.m.109 views

CVE-2013-5705

Affected software: ModSecurity (Apache module) before 2.7.6. Root cause: flawed handling of chunked Transfer-Encoding with a capitalized Chunked value in the HTTP header. Impact: remote attackers can bypass mod_security rules. Remediation: upgrade to ModSecurity 2.7.6 or newer (as cited by multip...

5CVSS6AI score0.02648EPSS
Web
CVE
CVEadded 2013/04/25 11:0 p.m.84 views

CVE-2013-1915

CVE-2013-1915 (ModSecurity XXE) : ModSecurity before 2.7.3 is vulnerable to an XML External Entity (XXE) attack via an XML entity declaration and a referenced entity. This can allow remote attackers to read arbitrary files, make HTTP requests to intranet servers, or trigger denial of service (CPU...

7.5CVSS6.7AI score0.04208EPSS
CVE
CVEadded 2025/02/25 8:0 p.m.84 views

CVE-2025-27110

Libmodsecurity3 contains a vulnerability in version 3.0.13 where encoded HTML entities with leading zeroes are not decoded correctly. A fixed release is 3.0.14. Several advisories (Fedora, openSUSE/SUSE, OpenVAS/NASL entries) reference CVE-2025-27110 and mandate/update to 3.0.14 to remediate. The...

7.9CVSS6.9AI score0.00443EPSS
CVE
CVEadded 2012/07/22 4:0 p.m.73 views

CVE-2012-2751

CVE-2012-2751 relates to ModSecurity prior to 2.6.6 when used with PHP. The issue arises in how single quotes in Content-Disposition are handled inside multipart/form-data requests, allowing remote attackers to bypass filtering rules and potentially perform XSS. The vulnerability is noted to exis...

4.3CVSS5.7AI score0.03303EPSS
CVE
CVEadded 2012/12/28 11:0 a.m.69 views

CVE-2012-4528

CVE-2012-4528 applies to the mod_security2 module for Apache HTTP Server, before version 2.7.0. The issue arises in multipart request handling where an invalid part precedes crafted data, allowing remote attackers to bypass rules and deliver arbitrary POST data to a PHP application. Impact is a r...

5CVSS6.6AI score0.12507EPSS
CVE
CVEadded 2009/06/03 4:33 p.m.64 views

CVE-2009-1902

CVE-2009-1902 affects ModSecurity prior to 2.5.9. The vulnerability arises in the multipart processor when a datapost request has a missing part header name, causing a NULL pointer dereference and potential denial of service (remote crash). Evidence from SUSE confirms the same description and imp...

5CVSS6.3AI score0.13735EPSS
CVE
CVEadded 2009/06/03 4:33 p.m.58 views

CVE-2009-1903

ModSecurity (Apache module) prior to version 2.5.9 is affected by two CVEs; CVE-2009-1902 (NULL pointer dereference when processing multipart requests without a part header name) and CVE-2009-1903 (PDF XSS protection failing for PDF requests not using GET), leading to possible denial of service (...

4.3CVSS5.8AI score0.03027EPSS
CVE
CVEadded 2012/07/22 4:0 p.m.57 views

CVE-2009-5031

CVE-2009-5031 affects ModSecurity before 2.5.11. It mishandles single quotes in request parameter values in the Content-Disposition header of multipart/form-data requests, allowing remote attackers to bypass filtering and perform other attacks such as XSS. A fix is available in ModSecurity 2.5.11...

4.3CVSS5.6AI score0.0293EPSS
CVE
CVEadded 2024/10/09 12:0 a.m.51 views

CVE-2024-46292

CVE-2024-46292 reports a buffer overflow in ModSecurity v3.0.12 that could cause DoS via a crafted input in the name parameter. The description notes this is disputed by the supplier (cannot reproduce) and that documentation states it may not be usable with very large SecRequestBodyNoFilesLimit v...

7.5CVSS7.6AI score0.00785EPSS