Vulnerabilities > Embedthis > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-08 | CVE-2021-41615 | Insufficient Entropy vulnerability in Embedthis Goahead 2.1.8 websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). | 9.8 |
| 2022-01-25 | CVE-2021-43298 | Improper Restriction of Excessive Authentication Attempts vulnerability in Embedthis Goahead The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. | 9.8 |
| 2021-10-14 | CVE-2021-42342 | Unrestricted Upload of File with Dangerous Type vulnerability in Embedthis Goahead An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. | 9.8 |
| 2019-12-03 | CVE-2019-5096 | Use After Free vulnerability in Embedthis Goahead 3.6.5/4.1.1/5.0.1 An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. | 9.8 |
| 2018-01-03 | CVE-2017-1000471 | NULL Pointer Dereference vulnerability in Embedthis Goahead 4.0.0 EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service. | 9.8 |
| 2017-03-13 | CVE-2017-5674 | Information Exposure vulnerability in Embedthis Goahead A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password. | 9.8 |