Vulnerabilities > Owasp > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-07-13 CVE-2023-38199 Type Confusion vulnerability in Owasp Coreruleset
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms.
network
low complexity
owasp CWE-843
critical
9.8
2022-09-20 CVE-2022-39955 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes.
network
low complexity
owasp fedoraproject debian
critical
9.8
2022-09-20 CVE-2022-39956 Improper Encoding or Escaping of Output vulnerability in multiple products
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set.
network
low complexity
owasp fedoraproject debian CWE-116
critical
9.8
2022-09-02 CVE-2020-22669 SQL Injection vulnerability in multiple products
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability.
network
low complexity
owasp debian CWE-89
critical
9.8
2022-04-25 CVE-2022-23457 Path Traversal vulnerability in multiple products
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library.
network
low complexity
owasp oracle netapp CWE-22
critical
9.8
2021-11-05 CVE-2021-35368 OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
network
low complexity
owasp fedoraproject debian
critical
9.8
2021-10-18 CVE-2021-42575 The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
network
low complexity
owasp oracle
critical
9.8
2021-01-13 CVE-2021-23899 XXE vulnerability in Owasp Json-Sanitizer
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input.
network
low complexity
owasp CWE-611
critical
9.8