CVSS: 9.8EPSS: 32%CPEs: 1EXPL: 1CVE-2022-30592
https://notcve.org/view.php?id=CVE-2022-30592
11 May 2022 — liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY. El archivo liblsquic/lsquic_qenc_hdl.c en LiteSpeed QUIC (también se conoce como LSQUIC) versiones anteriores a 3.1.0, maneja inapropiadamente MAX_TABLE_CAPACITY • https://github.com/efchatz/HTTP3-attacks • CWE-476: NULL Pointer Dereference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24963 – LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24963
30 Nov 2021 — The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting El plugin LiteSpeed Cache de WordPress versiones anteriores a 4.4.4, no escapa el parámetro qc_res antes de devolverlo al código JS de una página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via t... • https://plugins.trac.wordpress.org/changeset/2634373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 14%CPEs: 1EXPL: 1CVE-2021-24964 – LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24964
30 Nov 2021 — The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by... • https://wpscan.com/vulnerability/e9966b3e-2eb9-4d70-8c18-6a829b4827cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 3CVE-2021-26758
https://notcve.org/view.php?id=CVE-2021-26758
07 Apr 2021 — Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system. Una Escalada de privilegios en el servidor web LiteSpeed ??Technologies OpenLiteSpeed ??versión 1.7.8, permite a atacantes obtener acceso terminal root y ejecutar comandos en el sistema host • https://docs.unsafe-inline.com/0day/openlitespeed-web-server-1.7.8-command-injection-to-privilege-escalation-cve-2021-26758 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29172 – LiteSpeed Cache <= 3.6 - Authenticated Stored Cross-Site Scripting via IP setting
https://notcve.org/view.php?id=CVE-2020-29172
26 Dec 2020 — A cross-site scripting (XSS) vulnerability in the LiteSpeed Cache plugin before 3.6.1 for WordPress can be exploited via the Server IP setting. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin LiteSpeed ??Cache versiones anteriores a 3.6.1 para WordPress puede ser explotada por medio de la configuración de IP del Servidor • https://wordpress.org/plugins/litespeed-cache/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5519
https://notcve.org/view.php?id=CVE-2020-5519
06 Jan 2020 — The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen. La WebAdmin Console en OpenLiteSpeed ??versiones anteriores a la versión v1.6.5 no comprueba estrictamente las URL de petición, como es demostrado por la pantalla "Server Configuration > External App". • https://drive.google.com/open?id=1pSciFEfjHp3kN8y5shy_zosJo7dje_fX • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 1CVE-2018-19791
https://notcve.org/view.php?id=CVE-2018-19791
03 Dec 2018 — The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the "bytes=0-,0-" substring. El servidor en LiteSpeed OpenLiteSpeed en versiones anteriores a la 1.5.0 RC6 no manipula correctamente las peticiones para secuencias de bytes, permitiendo a un atacante que amplíe el tamaño de la respuesta al ... • https://github.com/litespeedtech/openlitespeed/issues/117 • CWE-20: Improper Input Validation •
CVSS: 6.7EPSS: 0%CPEs: 6EXPL: 1CVE-2018-19792
https://notcve.org/view.php?id=CVE-2018-19792
03 Dec 2018 — The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../ characters), which is mishandled in the LshttpdMain::getServerRootFromExecutablePath function. El servidor en LiteSpeed OpenLiteSpeed en versiones anteriores a la 1.5.0 RC6 permite que los usuarios locales provoquen una denegación d... • https://github.com/litespeedtech/openlitespeed/issues/117 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3890
https://notcve.org/view.php?id=CVE-2015-3890
20 Sep 2017 — Use-after-free vulnerability in Open Litespeed before 1.3.10. Existe una vulnerabilidad de uso de memoria previamente liberada en Open Litespeed en versiones anteriores a la 1.3.10. • http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf • CWE-416: Use After Free •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 3CVE-2012-4871 – Litespeed Web Server - 'gtitle' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4871
06 Sep 2012 — Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en rvice/graph_html.php en el panel de administrador en LiteSpeed ??Web Server v4.1.11 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro gtitle • https://www.exploit-db.com/exploits/37947 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •