Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-13285

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-04 May, 2020 | 13:36
Updated At-04 Aug, 2024 | 23:49
Rejected At-
Credits

CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:04 May, 2020 | 13:36
Updated At:04 Aug, 2024 | 23:49
Rejected At:
▼CVE Numbering Authority (CNA)

CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.endpointprotector.com/products/endpoint-protector
x_refsource_MISC
https://www.esecforte.com/endpoint-protector-india-cososys-dlp/
x_refsource_MISC
Hyperlink: https://www.endpointprotector.com/products/endpoint-protector
Resource:
x_refsource_MISC
Hyperlink: https://www.esecforte.com/endpoint-protector-india-cososys-dlp/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.endpointprotector.com/products/endpoint-protector
x_refsource_MISC
x_transferred
https://www.esecforte.com/endpoint-protector-india-cososys-dlp/
x_refsource_MISC
x_transferred
Hyperlink: https://www.endpointprotector.com/products/endpoint-protector
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.esecforte.com/endpoint-protector-india-cososys-dlp/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:04 May, 2020 | 14:15
Updated At:11 May, 2020 | 13:26

CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches

cososys
cososys
>>endpoint_protector>>5.1.0.2
cpe:2.3:a:cososys:endpoint_protector:5.1.0.2:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Primarynvd@nist.gov
CWE ID: CWE-74
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.endpointprotector.com/products/endpoint-protectorcve@mitre.org
Product
https://www.esecforte.com/endpoint-protector-india-cososys-dlp/cve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://www.endpointprotector.com/products/endpoint-protector
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://www.esecforte.com/endpoint-protector-india-cososys-dlp/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

75Records found

CVE-2023-26130
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-0.19% / 40.71%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 05:00
Updated-13 Feb, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

Action-Not Available
Vendor-cpp-httplib_projectn/ayhirose
Product-cpp-httplibyhirose/cpp-httplibcpp-httplib
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2013-4578
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 51.96%
||
7 Day CHG~0.00%
Published-29 Dec, 2017 | 22:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-8322
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.56%
||
7 Day CHG~0.00%
Published-17 Jun, 2019 | 19:02
Updated-04 Aug, 2024 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

Action-Not Available
Vendor-rubygemsn/aDebian GNU/LinuxopenSUSE
Product-debian_linuxrubygemsleapn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2016-7125
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.36%
||
7 Day CHG~0.00%
Published-12 Sep, 2016 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.

Action-Not Available
Vendor-n/aThe PHP Group
Product-phpn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2012-0070
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.73%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 13:40
Updated-06 Aug, 2024 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

spamdyke prior to 4.2.1: STARTTLS reveals plaintext

Action-Not Available
Vendor-spamdykespamdyke
Product-spamdykespamdyke
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-18657
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.42% / 61.24%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 18:55
Updated-21 Nov, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClickHouse before 19.13.5.44 allows HTTP header injection via the url table function.

Action-Not Available
Vendor-yandexn/a
Product-clickhousen/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-17513
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.25% / 78.50%
||
7 Day CHG~0.00%
Published-18 Oct, 2019 | 02:36
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.

Action-Not Available
Vendor-ratpack_projectn/a
Product-ratpackn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-17068
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.47% / 63.45%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 16:55
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PuTTY before 0.73 mishandles the "bracketed paste mode" protection mechanism, which may allow a session to be affected by malicious clipboard content.

Action-Not Available
Vendor-puttyn/aopenSUSE
Product-puttyleapn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-16771
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 60.86%
||
7 Day CHG~0.00%
Published-06 Dec, 2019 | 19:00
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

Action-Not Available
Vendor-linecorpLINE
Product-armeriaArmeria
CWE ID-CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-17123
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.44% / 62.32%
||
7 Day CHG~0.00%
Published-13 Dec, 2019 | 17:54
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)

Action-Not Available
Vendor-egainn/a
Product-mailn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-34419
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-3.7||LOW
EPSS-0.65% / 69.82%
||
7 Day CHG~0.00%
Published-11 Nov, 2021 | 22:59
Updated-17 Sep, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML injection in Zoom Linux client

In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks.

Action-Not Available
Vendor-Zoom Communications, Inc.
Product-zoom_client_for_meetingsZoom Client for Meetings for Ubuntu Linux
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2010-3668
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 61.44%
||
7 Day CHG~0.00%
Published-04 Nov, 2019 | 22:01
Updated-07 Aug, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-12425
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.18% / 83.67%
||
7 Day CHG~0.00%
Published-30 Apr, 2020 | 19:20
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache OFBiz 17.12.01 is vulnerable to Host header injection by accepting arbitrary host

Action-Not Available
Vendor-The Apache Software Foundation
Product-ofbizApache OFBiz
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-32499
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-7.5||HIGH
EPSS-0.65% / 69.82%
||
7 Day CHG~0.00%
Published-17 Dec, 2021 | 16:10
Updated-03 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the command line arguments to pass in any value to the Emulator executable.

Action-Not Available
Vendor-n/aSICK AG
Product-sopas_engineering_toolSICK SOPAS ET
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-31164
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-3.89% / 87.81%
||
7 Day CHG~0.00%
Published-04 May, 2021 | 06:55
Updated-03 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Unomi log injection

Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.

Action-Not Available
Vendor-The Apache Software Foundation
Product-unomiApache Unomi
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-28963
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 64.47%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 07:02
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

Action-Not Available
Vendor-shibbolethn/aDebian GNU/Linux
Product-service_providerdebian_linuxn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-0697
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.39%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 15:00
Updated-12 Feb, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Telstra Smart Modem Gen 2 HTTP Header injection

A vulnerability, which was classified as problematic, was found in Telstra Smart Modem Gen 2 up to 20250115. This affects an unknown part of the component HTTP Header Handler. The manipulation of the argument Content-Disposition leads to injection. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Telstra
Product-Smart Modem Gen 2
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-49380
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-26.03% / 96.08%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 13:04
Updated-06 May, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plenti arbitrary file write vulnerability

Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0.7.2 fixes the vulnerability.

Action-Not Available
Vendor-plentiplenticoplenti
Product-plentiplentiplentico
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-0319
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.5||HIGH
EPSS-0.97% / 75.72%
||
7 Day CHG~0.00%
Published-10 Jul, 2019 | 18:51
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not.

Action-Not Available
Vendor-SAP SE
Product-gatewayui5SAP Gateway
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-13146
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 48.85%
||
7 Day CHG~0.00%
Published-09 Jul, 2019 | 17:58
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).

Action-Not Available
Vendor-field_test_projectn/a
Product-field_testn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2015-5841
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5||MEDIUM
EPSS-0.62% / 69.09%
||
7 Day CHG~0.00%
Published-18 Sep, 2015 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CFNetwork Proxies component in Apple iOS before 9 does not properly handle a Set-Cookie header within a response to an HTTP CONNECT request, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.

Action-Not Available
Vendor-n/aApple Inc.
Product-mac_os_xiphone_oswatchosn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-29896
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.77%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 12:48
Updated-02 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Astro-Shield's Content-Security-Policy header generation in middleware could be compromised by malicious injections

Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.

Action-Not Available
Vendor-KindSpellskindspells
Product-astro-shieldastro-shield
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2014-7287
Matching Score-4
Assigner-Symantec - A Division of Broadcom
ShareView Details
Matching Score-4
Assigner-Symantec - A Division of Broadcom
CVSS Score-5||MEDIUM
EPSS-0.51% / 65.52%
||
7 Day CHG~0.00%
Published-01 Feb, 2015 | 02:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

Action-Not Available
Vendor-n/aSymantec Corporation
Product-pgp_universal_serverencryption_management_servern/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2024-49381
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 50.48%
||
7 Day CHG~0.00%
Published-25 Oct, 2024 | 13:06
Updated-14 Nov, 2024 | 23:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plenti arbitrary file deletion vulnerability

Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability.

Action-Not Available
Vendor-plentiplenticoplenti
Product-plentiplentiplentico
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-5217
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.52% / 65.90%
||
7 Day CHG~0.00%
Published-23 Jan, 2020 | 02:15
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directive injection when using dynamic overrides with user input in RubyGems secure_headers

In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.

Action-Not Available
Vendor-twitterTwitter
Product-secure_headerssecure_headers
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found