VYPR

Vendor CVEs

Trustwave

All CVEs

61 total · sorted by risk
  • CVE-2017-18001CriDec 31, 2017
    risk 0.68cvss 9.8epss 0.14

    Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.

  • CVE-2026-21876CriJan 8, 2026
    risk 0.57cvss 9.3epss 0.13

    The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a…

  • CVE-2026-40316HigApr 15, 2026
    risk 0.50cvss 8.8epss 0.00

    OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the…

  • CVE-2018-16384HigSep 3, 2018
    risk 0.49cvss 7.5epss 0.02

    A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.

  • CVE-2025-27371MedMar 3, 2025
    risk 0.45cvss 6.9epss 0.00

    In certain IETF OAuth 2.0-related specifications, when the JSON Web Token Profile for OAuth 2.0 Client Authentication mechanism is used, there are ambiguities in the audience values of JWTs sent to authorization servers. The affected RFCs may include RFC 7523, and also RFC 7521,…

  • CVE-2025-27370MedMar 3, 2025
    risk 0.45cvss 6.9epss 0.00

    OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the private_key_jwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including…

  • CVE-2026-42268HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator)…

  • CVE-2026-30923HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string…

  • CVE-2018-13065MedJul 3, 2018
    risk 0.40cvss 6.1epss 0.01

    ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured

  • CVE-2026-33691MedApr 2, 2026
    risk 0.37cvss 6.8epss 0.01

    The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx)…

  • CVE-2025-52891MedJul 2, 2025
    risk 0.35cvss 6.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is…

  • CVE-2026-7510MedApr 30, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The…

  • CVE-2026-3816MedMar 9, 2026
    risk 0.28cvss 4.3epss 0.01

    A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated…

  • CVE-2012-4528Dec 28, 2012
    risk 0.04cvss epss 0.13

    The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.

  • CVE-2009-1902Jun 3, 2009
    risk 0.04cvss epss 0.14

    The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.

  • CVE-2007-1359Mar 8, 2007
    risk 0.04cvss epss 0.07

    Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still…

  • CVE-2007-4385Aug 17, 2007
    risk 0.03cvss epss 0.03

    OWASP Stinger before 2.5 allows remote attackers to bypass input validation routines by using multipart encoded requests instead of form-urlencoded requests. NOTE: this might be used to expose vulnerabilities in applications that would otherwise be protected by the validation…

  • CVE-2025-54571Aug 5, 2025
    risk 0.00cvss epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For…

  • CVE-2025-48866Jun 2, 2025
    risk 0.00cvss epss 0.01

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the…

  • CVE-2025-47947May 21, 2025
    risk 0.00cvss epss 0.01

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is…

  • CVE-2025-27110Feb 25, 2025
    risk 0.00cvss epss 0.00

    Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in…

  • CVE-2024-46292Oct 9, 2024
    risk 0.00cvss epss 0.01

    A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not…

  • CVE-2023-48171Aug 12, 2024
    risk 0.00cvss epss 0.01

    An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.

  • CVE-2024-1019Jan 30, 2024
    risk 0.00cvss epss 0.01

    ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional…

  • CVE-2024-22164Jan 9, 2024
    risk 0.00cvss epss 0.00

    In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the…

  • CVE-2024-22165Jan 9, 2024
    risk 0.00cvss epss 0.01

    In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.The…

  • CVE-2023-38285Jul 26, 2023
    risk 0.00cvss epss 0.01

    Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

  • CVE-2023-38199Jul 13, 2023
    risk 0.00cvss epss 0.01

    coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application.…

  • CVE-2023-28882Apr 28, 2023
    risk 0.00cvss epss 0.01

    Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

  • CVE-2022-48279Jan 20, 2023
    risk 0.00cvss epss 0.01

    In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

  • CVE-2023-24021Jan 20, 2023
    risk 0.00cvss epss 0.01

    Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.

  • CVE-2021-4247Dec 18, 2022
    risk 0.00cvss epss 0.01

    A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely.…

  • CVE-2022-39958Sep 20, 2022
    risk 0.00cvss epss 0.01

    The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily…

  • CVE-2022-39955Sep 20, 2022
    risk 0.00cvss epss 0.01

    The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple…

  • CVE-2022-39957Sep 20, 2022
    risk 0.00cvss epss 0.01

    The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be…

  • CVE-2022-39956Sep 20, 2022
    risk 0.00cvss epss 0.01

    The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will…

  • CVE-2021-42717Dec 7, 2021
    risk 0.00cvss epss 0.03

    ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the…

  • CVE-2021-35368Nov 5, 2021
    risk 0.00cvss epss 0.03

    OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.

  • CVE-2019-25043May 6, 2021
    risk 0.00cvss epss 0.01

    ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

  • CVE-2020-15598Oct 6, 2020
    risk 0.00cvss epss 0.03

    Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can…

  • CVE-2014-2727Feb 19, 2020
    risk 0.00cvss epss 0.02

    The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.

  • CVE-2019-19886Jan 21, 2020
    risk 0.00cvss epss 0.03

    Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.

  • CVE-2019-13464Jul 9, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

  • CVE-2019-11391Apr 21, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition…

  • CVE-2019-11389Apr 21, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition…

  • CVE-2019-11388Apr 21, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software…

  • CVE-2019-11387Apr 21, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.

  • CVE-2013-5705Apr 15, 2014
    risk 0.00cvss epss 0.03

    apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

  • CVE-2013-5960Sep 30, 2013
    risk 0.00cvss epss 0.02

    The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…

  • CVE-2013-5679Sep 30, 2013
    risk 0.00cvss epss 0.02

    The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended…

Page 1 of 2