Vulnerabilities > Trustwave > Modsecurity > 2.2.0

DATE CVE VULNERABILITY TITLE RISK
2023-01-20 CVE-2022-48279 Interpretation Conflict vulnerability in multiple products
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall.
network
low complexity
trustwave debian CWE-436
7.5
2023-01-20 CVE-2023-24021 Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.
network
low complexity
trustwave debian
7.5
2021-12-07 CVE-2021-42717 Uncontrolled Recursion vulnerability in multiple products
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects.
network
low complexity
trustwave f5 debian oracle CWE-674
5.0
2014-04-15 CVE-2013-5705 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
network
low complexity
trustwave debian
5.0
2013-04-25 CVE-2013-1915 XXE vulnerability in multiple products
ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.
network
low complexity
trustwave opensuse fedoraproject debian CWE-611
7.5
2012-12-28 CVE-2012-4528 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
network
low complexity
trustwave opensuse fedoraproject
5.0
2012-07-22 CVE-2009-5031 Cross-Site Scripting vulnerability in multiple products
ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.
4.3
2009-06-03 CVE-2009-1903 The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method. 4.3
2009-06-03 CVE-2009-1902 Null Pointer Dereference vulnerability in multiple products
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
network
low complexity
trustwave fedoraproject CWE-476
5.0