6 matches found
CVE-2021-3639
CVE-2021-3639 affects mod_auth_mellon: a logout URL sanitization flaw could enable phishing by redirecting users from a trusted app to an external, potentially malicious server. Impact via confidentiality and integrity. Patches exist in multiple distributions: Debian LTS shows libapache2-mod-auth...
CVE-2017-6807
CVE-2017-6807 affects mod_auth_mellon prior to 0.13.1, enabling a Cross‑Site Session Transfer where a user’s session cookie from one site on a server can be copied to another site on the same server to gain access. Public disclosures and vendor advisories (e.g., Ubuntu USN-4597-1, various Nessus/...
CVE-2016-2145
CVE-2016-2145 affects mod_auth_mellon before 0.11.1: am_read_post_data does not check ap_get_client_block for errors, enabling DoS via crafted POST data (segfaults/process crashes). Affected products/versions include Red Hat/EulerOS advisories; recommended mitigation is upgrading to at least 0.13...
CVE-2014-8567
CVE-2014-8567 affects the mod_auth_mellon module for Apache (pre-0.8.1). A crafted logout request can trigger a read of uninitialized data, leading to an Apache HTTP server denial-of-service (crash). Public sources consistently describe the issue and its impact as a DoS via logout handling. The v...
CVE-2016-2146
CVE-2016-2145/2146 affect mod_auth_mellon prior to 0.11.1: am_read_post_data does not limit/validate POST data, enabling DoS (worker crash, deadlock, memory consumption). Debug/impact: remote attacker can exploit by sending large POST payloads. Affected product: mod_auth_mellon (web authenticatio...
CVE-2014-8566
CVE-2014-8566 affects the mod_auth_mellon module prior to version 0.8.1. The root cause is a session handling flaw where sessions overlap in memory, described as a “session overflow,” which can allow remote attackers to disclose sensitive information or trigger a denial of service (segmentation f...