Vulnerabilities > Yaws
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-09 | CVE-2020-24916 | OS Command Injection vulnerability in multiple products CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection. | 9.8 |
| 2020-09-09 | CVE-2020-24379 | XXE vulnerability in multiple products WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. | 9.8 |
| 2020-05-15 | CVE-2020-12872 | Inadequate Encryption Strength vulnerability in Yaws yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks, if running on an Erlang/OTP virtual machine with a version less than 21.0. | 5.5 |
| 2019-12-10 | CVE-2016-1000108 | Open Redirect vulnerability in multiple products yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | 5.8 |
| 2019-11-26 | CVE-2011-4350 | Path Traversal vulnerability in multiple products Yaws 1.91 has a directory traversal vulnerability in the way certain URLs are processed. | 4.0 |
| 2017-07-07 | CVE-2017-10974 | Path Traversal vulnerability in Yaws 1.91 Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. | 5.0 |
| 2010-11-04 | CVE-2010-4181 | Path Traversal vulnerability in Yaws 1.89 Directory traversal vulnerability in Yaws 1.89 allows remote attackers to read arbitrary files via ..\ (dot dot backslash) and other sequences. | 5.0 |
| 2010-01-13 | CVE-2009-4495 | Improper Input Validation vulnerability in Yaws 1.85 Yaws 1.85 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. | 5.0 |
| 2009-03-02 | CVE-2009-0751 | Resource Management Errors vulnerability in Yaws Yaws before 1.80 allows remote attackers to cause a denial of service (memory consumption and crash) via a request with a large number of headers. | 5.0 |
| 2005-06-17 | CVE-2005-2008 | Remote Security vulnerability in Webserver Yaws Webserver 1.55 and earlier allows remote attackers to obtain the source code for yaws scripts via a request to a yaw script with a trailing %00 (null). | 5.0 |