10 results (0.002 seconds)

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

02 Jun 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg... • https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e • CWE-1050: Excessive Platform Resource Consumption within a Loop •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

21 May 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. A flaw was found in the mod_s... • https://github.com/owasp-modsecurity/ModSecurity/pull/3389 • CWE-1050: Excessive Platform Resource Consumption within a Loop •

CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0

25 Feb 2025 — Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available. • https://github.com/owasp-modsecurity/ModSecurity/issues/3340 • CWE-172: Encoding Error •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

09 Oct 2024 — A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue). • https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/README.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

09 Jul 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid. Se detectó un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.0.2. El uso de X.Filename en lugar de X_Filename puede omitir algunas reglas de PHP Script Uploads, porque PHP transforma automáticamente los puntos en guiones bajos en determinados... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Se detecto un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El archi... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) ver... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity **EN DISPUTA ** Se detecto un problema en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El arch... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity ** EN DISPUTA ** Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El fichero /rules/REQUEST-93... • https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

21 Apr 2019 — An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. Un problema fue descubierto en OWASP ModSecurity Core Rule Set (CRS) versión 3.1.0. El fichero /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf permite a los atacantes remotos provocar una denegación de servicio (ReDOS) introduciendo una cadena especi... • https://coreruleset.org/20190627/announcement-owasp-modsecurity-core-rule-set-version-3-1-1 • CWE-400: Uncontrolled Resource Consumption •