Modsecurity Security Vulnerabilities and Issues — Modsecurity CVE List

Lucene search

TrustwaveModsecurity

7 matches found

CVE•added 2023/01/20 7:15 p.m.•105 views

CVE-2023-24021

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.

7.5CVSS7.5AI score0.00085EPSS

CVE•added 2021/12/07 10:15 p.m.•102 views

CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worke...

7.5CVSS7.3AI score0.01628EPSS

CVE•added 2023/01/20 7:15 p.m.•100 views

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

7.5CVSS8.4AI score0.00514EPSS

CVE•added 2025/05/21 10:15 p.m.•74 views

CVE-2025-47947

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is application/json, and there is ...

7.5CVSS6.8AI score0.00089EPSS

CVE•added 2013/04/25 11:55 p.m.•72 views

CVE-2013-1915

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

7.5CVSS6.7AI score0.04848EPSS

CVE•added 2025/02/25 8:15 p.m.•59 views

CVE-2025-27110

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3...

7.9CVSS6.9AI score0.00053EPSS

CVE•added 2024/10/09 4:15 p.m.•43 views

CVE-2024-46292

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usab...

7.5CVSS7.6AI score0.00117EPSS