VYPR

Mod Auth Mellon

by Uninett

Source repositories

CVEs (9)

  • CVE-2016-2146HigApr 15, 2016
    risk 0.42cvss 7.5epss 0.03

    The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data.

  • CVE-2016-2145HigApr 15, 2016
    risk 0.42cvss 7.5epss 0.03

    The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data.

  • CVE-2019-13038MedJun 29, 2019
    risk 0.40cvss 6.1epss 0.01

    mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.

  • CVE-2017-6807MedMar 13, 2017
    risk 0.40cvss 6.1epss 0.01

    mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site.

  • CVE-2021-3639MedAug 22, 2022
    risk 0.00cvss 6.1epss 0.01

    A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious…

  • CVE-2019-3877MedMar 27, 2019
    risk 0.00cvss 5.8epss 0.02

    A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as…

  • CVE-2019-3878HigMar 26, 2019
    risk 0.00cvss 8.1epss 0.03

    A vulnerability was found in mod_auth_mellon before v0.14.2. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start…

  • CVE-2014-8566Nov 15, 2014
    risk 0.00cvss epss 0.03

    The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory."

  • CVE-2014-8567Nov 14, 2014
    risk 0.00cvss epss 0.04

    The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data.