Mod Auth Mellon Security Vulnerabilities and Issues — Mod Auth Mellon CVE List

Lucene search

UninettMod Auth Mellon

8 matches found

CVE•added 2022/08/22 3:15 p.m.•143 views

CVE-2021-3639

A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threa...

6.1CVSS5.8AI score0.00103EPSS

CVE•added 2019/03/26 6:29 p.m.•120 views

CVE-2019-3878

A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP...

8.1CVSS7.7AI score0.03208EPSS

CVE•added 2019/03/27 1:29 p.m.•91 views

CVE-2019-3877

A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. Thi...

6.1CVSS6.6AI score0.00708EPSS

CVE•added 2017/03/13 2:59 p.m.•65 views

CVE-2017-6807

mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site.

6.1CVSS6.2AI score0.00363EPSS

CVE•added 2016/04/15 2:59 p.m.•48 views

CVE-2016-2145

The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data.

7.5CVSS7.1AI score0.0129EPSS

CVE•added 2014/11/14 3:59 p.m.•46 views

CVE-2014-8567

The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data.

9.4CVSS6.3AI score0.04434EPSS

CVE•added 2016/04/15 2:59 p.m.•46 views

CVE-2016-2146

The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data.

7.5CVSS7.2AI score0.0119EPSS

CVE•added 2014/11/15 9:59 p.m.•35 views

CVE-2014-8566

The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory."

6.4CVSS6.4AI score0.01092EPSS