Vulnerabilities > Trustwave > Modsecurity > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-07 | CVE-2021-42717 | Uncontrolled Recursion vulnerability in multiple products ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. | 5.0 |
| 2021-05-06 | CVE-2019-25043 | Improper Handling of Exceptional Conditions vulnerability in Trustwave Modsecurity ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. | 5.0 |
| 2018-07-03 | CVE-2018-13065 | Cross-site Scripting vulnerability in Trustwave Modsecurity 3.0.0 ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. | 6.1 |
| 2014-04-15 | CVE-2013-5705 | apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. | 5.0 |
| 2012-12-28 | CVE-2012-4528 | The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. | 5.0 |
| 2012-07-22 | CVE-2009-5031 | Cross-Site Scripting vulnerability in multiple products ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header. | 4.3 |
| 2009-06-03 | CVE-2009-1903 | The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method. | 4.3 |
| 2009-06-03 | CVE-2009-1902 | Null Pointer Dereference vulnerability in multiple products The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference. | 5.0 |