CVSS: 7.8EPSS: %CPEs: 1EXPL: 0CVE-2025-48866 – ModSecurity has possible DoS vulnerability in sanitiseArg action
https://notcve.org/view.php?id=CVE-2025-48866
02 Jun 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg... • https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e • CWE-1050: Excessive Platform Resource Consumption within a Loop •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47947 – ModSecurity Has Possible DoS Vulnerability
https://notcve.org/view.php?id=CVE-2025-47947
21 May 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. • https://github.com/owasp-modsecurity/ModSecurity/pull/3389 • CWE-1050: Excessive Platform Resource Consumption within a Loop •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27110 – Libmodsecurity3 has possible bypass of encoded HTML entities
https://notcve.org/view.php?id=CVE-2025-27110
25 Feb 2025 — Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available. • https://github.com/owasp-modsecurity/ModSecurity/issues/3340 • CWE-172: Encoding Error •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48171
https://notcve.org/view.php?id=CVE-2023-48171
12 Aug 2024 — An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component. • https://gccybermonks.com/posts/defectdojo • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-23686 – DependencyCheck Debug Mode Logging of NVD API Key
https://notcve.org/view.php?id=CVE-2024-23686
19 Jan 2024 — DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file. DependencyCheck para Maven 9.0.0 a 9.0.6, para la Interfaz de Línea de Comandos (CLI) versión 9.0.0 a 9.0.5 y para Ant versiones 9.0.0 a 9.0.5, cuando se usa en modo de depuración, permite a un atacante recuperar la clave API NVD de un archivo de registro. • https://github.com/advisories/GHSA-qqhq-8r2c-c3f5 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38199
https://notcve.org/view.php?id=CVE-2023-38199
13 Jul 2023 — coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header. • https://github.com/coreruleset/coreruleset/issues/3191 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4247 – OWASP NodeGoat Query Parameter research.js denial of service
https://notcve.org/view.php?id=CVE-2021-4247
18 Dec 2022 — A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The name of the patch is 4a4d1db74c63fb4ff8d366551c3af006c25ead12. • https://github.com/OWASP/NodeGoat/commit/4a4d1db74c63fb4ff8d366551c3af006c25ead12 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39350 – @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details
https://notcve.org/view.php?id=CVE-2022-39350
25 Oct 2022 — @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or ... • https://docs.dependencytrack.org/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39351 – Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions
https://notcve.org/view.php?id=CVE-2022-39351
25 Oct 2022 — Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last... • https://docs.dependencytrack.org/changelog • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-39955 – Partial rule set bypass in OWASP ModSecurity Core Rule Set by submitting a specially crafted HTTP Content-Type header
https://notcve.org/view.php?id=CVE-2022-39955
20 Sep 2022 — The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x ... • https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves • CWE-863: Incorrect Authorization •