Vulnerabilities > Embedthis > Goahead > 2.1.8

DATE CVE VULNERABILITY TITLE RISK
2022-08-08 CVE-2021-41615 Insufficient Entropy vulnerability in Embedthis Goahead 2.1.8
websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1).
network
low complexity
embedthis CWE-331
critical
9.8
2022-01-25 CVE-2021-43298 Improper Restriction of Excessive Authentication Attempts vulnerability in Embedthis Goahead
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting.
network
low complexity
embedthis CWE-307
critical
9.8
2020-07-23 CVE-2020-15688 Authentication Bypass by Capture-replay vulnerability in Embedthis Goahead
The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks.
network
low complexity
embedthis CWE-294
8.8
2019-11-22 CVE-2019-19240 Use of Uninitialized Resource vulnerability in Embedthis Goahead
Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header.
network
low complexity
embedthis CWE-908
5.3
2019-06-14 CVE-2019-12822 Expression Language Injection vulnerability in Embedthis Goahead
In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself.
network
low complexity
embedthis CWE-917
7.5
2018-08-18 CVE-2018-15505 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2.
network
low complexity
embedthis juniper CWE-476
7.5
2018-08-18 CVE-2018-15504 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2.
network
low complexity
embedthis juniper CWE-476
7.5
2017-12-12 CVE-2017-17562 Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
network
high complexity
embedthis oracle
8.1