Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Modsecurity
(Trustwave)| Repositories | https://github.com/SpiderLabs/ModSecurity |
| #Vulnerabilities | 17 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-05-06 | CVE-2019-25043 | ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. | Modsecurity | 5.3 | ||
| 2009-06-03 | CVE-2009-1903 | The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method. | Fedora, Modsecurity | N/A | ||
| 2013-04-25 | CVE-2013-1915 | ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. | Debian_linux, Fedora, Opensuse, Modsecurity | N/A | ||
| 2014-04-15 | CVE-2013-5705 | apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. | Debian_linux, Modsecurity | N/A | ||
| 2012-12-28 | CVE-2012-4528 | The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. | Fedora, Opensuse, Modsecurity | N/A | ||
| 2012-07-22 | CVE-2009-5031 | ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header. | Opensuse, Modsecurity | N/A | ||
| 2009-06-03 | CVE-2009-1902 | The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference. | Fedora, Modsecurity | N/A |