CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 1CVE-2019-5097
https://notcve.org/view.php?id=CVE-2019-5097
03 Dec 2019 — A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server. Se presenta una vulnerabilidad de denegación de servicio en el procesamiento de peticiones datos de formulario multipart... • https://talosintelligence.com/vulnerability_reports/TALOS-2019-0889 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19240
https://notcve.org/view.php?id=CVE-2019-19240
22 Nov 2019 — Embedthis GoAhead before 5.0.1 mishandles redirected HTTP requests with a large Host header. The GoAhead WebsRedirect uses a static host buffer that has a limited length and can overflow. This can cause a copy of the Host header to fail, leaving that buffer uninitialized, which may leak uninitialized data in a response. Incruste GoAhead versiones anteriores a 5.0.1, maneja inapropiadamente las peticiones HTTP redireccionadas con un encabezado Host grande. GoAhead WebsRedirect utiliza un búfer de host estáti... • https://github.com/embedthis/goahead/issues/289 • CWE-787: Out-of-bounds Write CWE-908: Use of Uninitialized Resource •
CVSS: 8.6EPSS: 15%CPEs: 1EXPL: 3CVE-2019-16645 – GoAhead 2.5.0 - Host Header Injection
https://notcve.org/view.php?id=CVE-2019-16645
20 Sep 2019 — An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack. Se detectó un problema en Embedthis GoAhead versión 2.5.0. Ciertas páginas (tales como goform/login y config/log_off_page.htm) crean enlaces que contienen un nombre del host obtenido desde un encabezado de Host HTTP arbitrario enviado por par... • https://packetstorm.news/files/id/154652 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12822
https://notcve.org/view.php?id=CVE-2019-12822
14 Jun 2019 — In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself. En el archivo http.c en Embedthis GoAhead anterior a versión 4.1.1 y versión 5.x anterior a la 5.0.1, una vulnerabilidad en el análisis de encabezado provoca una aserción de memoria, una referencia de memoria fuera de límites y un potencial DoS, como fue demostrado por dos puntos en una l... • https://github.com/embedthis/goahead/compare/5349710...579f21f • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.5EPSS: 0%CPEs: 459EXPL: 2CVE-2018-15504
https://notcve.org/view.php?id=CVE-2018-15504
18 Aug 2018 — An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11. Se ha descubierto un problema en Embedthis GoAhead en versiones anteriores a la 4.0.1 y Appweb anteriores a la 7.0.2. El servidor maneja incorrectamente algunos campos request HTTP asociados con time, lo que resulta en una de... • https://github.com/embedthis/appweb/commit/66067ae6d1fa08b37a270e7dc1821df52ed2daef • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 225EXPL: 2CVE-2018-15505
https://notcve.org/view.php?id=CVE-2018-15505
18 Aug 2018 — An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 address. Se ha descubierto un problema en Embedthis GoAhead en versiones anteriores a la 4.0.1 y Appweb anteriores a la 7.0.2. Una petición HTTP POST con un campo de cabecera "Host" especialmente manipulado puede causar una... • https://github.com/embedthis/appweb/commit/16e6979c82297d5fc4f8661e7ada975f51e4dfa9 • CWE-476: NULL Pointer Dereference •
CVSS: 8.1EPSS: 89%CPEs: 1EXPL: 1CVE-2018-8715
https://notcve.org/view.php?id=CVE-2018-8715
14 Mar 2018 — The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types. La biblioteca HTTP Appweb, de Embedthis, en versiones anteriores a la 7.0.3, tiene un error de lógica relacionado con la función authCondition en http/httpLib.c. Con una petición HTTP manipulada, es posible omitir la autenticación para los tipos de inicio de sesión form... • https://blogs.securiteam.com/index.php/archives/3676 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000470
https://notcve.org/view.php?id=CVE-2017-1000470
03 Jan 2018 — EmbedThis GoAhead Webserver versions 4.0.0 and earlier is vulnerable to an integer overflow in the HTTP listener resulting in denial of service. EmbedThis GoAhead Webserver, en versiones 4.0.0 y anteriores, es vulnerable a un desbordamiento de enteros en el agente de escucha HTTP. Esto resulta en una denegación de servicio (DoS). • https://github.com/embedthis/goahead/commit/adeb4abc6c998c19524e09fde20c02b4a26765a3 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000471
https://notcve.org/view.php?id=CVE-2017-1000471
03 Jan 2018 — EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service. EmbedThis GoAhead Webserver, versión 4.0.0, es vulnerable a una desreferencia de puntero NULL en el manipulador CGI. Esto resulta en una corrupción de memoria o denegación de servicio (DoS). • https://github.com/embedthis/goahead/commit/5e6be61e42448f503e75e287dc332b1ecbf2a665#diff-7c9c60c790648b06210f57b9e2f53ca7 • CWE-476: NULL Pointer Dereference •
CVSS: 8.1EPSS: 94%CPEs: 3EXPL: 10CVE-2017-17562 – Embedthis GoAhead Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-17562
12 Dec 2017 — Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it u... • https://packetstorm.news/files/id/146061 •