Vulnerabilities > Trustwave > Modsecurity > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-12-07 CVE-2021-42717 Uncontrolled Recursion vulnerability in multiple products
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects.
network
low complexity
trustwave f5 debian oracle CWE-674
5.0
2021-05-06 CVE-2019-25043 Improper Handling of Exceptional Conditions vulnerability in Trustwave Modsecurity
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
network
low complexity
trustwave CWE-755
5.0
2018-07-03 CVE-2018-13065 Cross-site Scripting vulnerability in Trustwave Modsecurity 3.0.0
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element.
network
low complexity
trustwave CWE-79
6.1
2014-04-15 CVE-2013-5705 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
network
low complexity
trustwave debian
5.0
2012-12-28 CVE-2012-4528 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
network
low complexity
trustwave opensuse fedoraproject
5.0
2012-07-22 CVE-2009-5031 Cross-Site Scripting vulnerability in multiple products
ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.
4.3
2009-06-03 CVE-2009-1903 The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method. 4.3
2009-06-03 CVE-2009-1902 Null Pointer Dereference vulnerability in multiple products
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
network
low complexity
trustwave fedoraproject CWE-476
5.0