Total
4 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26138 | 1 Drogon | 1 Drogon | 2024-02-04 | N/A | 4.3 MEDIUM |
All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent. | |||||
CVE-2023-26137 | 1 Drogon | 1 Drogon | 2024-02-04 | N/A | 6.1 MEDIUM |
All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content. | |||||
CVE-2022-25297 | 1 Drogon | 1 Drogon | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder. | |||||
CVE-2021-35397 | 1 Drogon | 1 Drogon | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. The vulnerability is due to lack of proper input validation for requested path. An attacker could exploit this vulnerability by sending crafted HTTP request with specific path to read. Successful exploitation could allow the attacker to read files that should be restricted. |