Vulnerabilities > Yaws > Yaws > 1.93

DATE CVE VULNERABILITY TITLE RISK
2020-09-09 CVE-2020-24916 OS Command Injection vulnerability in multiple products
CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.
network
low complexity
yaws debian canonical CWE-78
critical
 9.8
9.8
2020-09-09 CVE-2020-24379 XXE vulnerability in multiple products
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
network
low complexity
yaws debian canonical CWE-611
critical
 9.8
9.8
2019-12-10 CVE-2016-1000108 Open Redirect vulnerability in multiple products
yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
network
low complexity
yaws debian CWE-601
6.1
6.1