CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50463
https://notcve.org/view.php?id=CVE-2023-50463
10 Dec 2023 — The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions). El middleware caddy-geo-ip (también conocido como GeoIP) hasta la versión 0.6.0 para Caddy 2, cuando se utiliza trust_header X-Forwarded-For, permite a los atacantes falsificar su dirección IP de origen a... • https://caddyserver.com/v2 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49854 – WordPress Caddy Plugin <= 1.9.7 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-49854
07 Dec 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy – Smart Side Cart for WooCommerce.This issue affects Caddy – Smart Side Cart for WooCommerce: from n/a through 1.9.7. Vulnerabilidad de Cross-Site Request Forgery(CSRF) en Tribe Interactive Caddy – Smart Side Cart para WooCommerce. Este problema afecta a Caddy – Smart Side Cart para WooCommerce: desde n/a hasta 1.9.7. The Caddy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.7. T... • https://patchstack.com/database/vulnerability/caddy/wordpress-caddy-plugin-1-9-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21246
https://notcve.org/view.php?id=CVE-2018-21246
15 Jun 2020 — Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode. Caddy versiones anteriores a 0.10.13, maneja inapropiadamente la autenticación del cliente TLS, como es demostrado por una omisión de autenticación causado por la falta del modo StrictHostMatching • https://bugs.gentoo.org/715214 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19148
https://notcve.org/view.php?id=CVE-2018-19148
10 Nov 2018 — Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence ... • https://github.com/mholt/caddy/issues/1303 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •