CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3639 – mod_auth_mellon: Open Redirect vulnerability in logout URLs
https://notcve.org/view.php?id=CVE-2021-3639
09 Sep 2021 — A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity. Se ha encontrado un fallo en mod_auth_mellon que no sanea correctamente las URL de cierre de sesión. Este problema podría ser usado por un atacante para f... • https://access.redhat.com/security/cve/CVE-2021-3639 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6807 – Ubuntu Security Notice USN-4597-1
https://notcve.org/view.php?id=CVE-2017-6807
13 Mar 2017 — mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site. mod_auth_mellon en versiones anteriores a 0.13.1 es vulnerable a un ataque de Transferencia de Sesión en Sitios Cruzados, donde un usuario con acceso a un sitio web ejecutándose en un servidor puede copiar su cookie de sesión a un sitio web diferente en el mismo se... • http://www.securityfocus.com/bid/96843 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-2145
https://notcve.org/view.php?id=CVE-2016-2145
15 Apr 2016 — The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data. La función am_read_post_data en mod_auth_mellon en versiones anteriores a 0.11.1 no comprueba si la función ap_get_client_block devuelve un error, lo que permite a atacantes remotos provocar una denegación de servicio (fallo de segmentación y caída de proc... • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179085.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-2146
https://notcve.org/view.php?id=CVE-2016-2146
15 Apr 2016 — The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data. La función am_read_post_data en mod_auth_mellon en versiones anteriores a 0.11.1 no limita la cantidad de lectura de datos, lo que permite a atacantes remotos provocar una denegación de servicio (caída del proceso trabajador, interbloqueo de servido... • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179085.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 0CVE-2014-8566 – mod_auth_mellon: remote memory disclosure flaw
https://notcve.org/view.php?id=CVE-2014-8566
05 Nov 2014 — The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory." El modulo mod_auth_mellon anterior a 0.8.1 permite a atacantes remotos obtener información sensible o causar una denegación de servicio (fallo en la segmentación) a través de vectores sin especificar, relacionado con un 'desbordamiento de sesión' que implica 'la sup... • http://linux.oracle.com/errata/ELSA-2014-1803.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 2%CPEs: 7EXPL: 0CVE-2014-8567 – mod_auth_mellon: logout processing leads to denial of service
https://notcve.org/view.php?id=CVE-2014-8567
05 Nov 2014 — The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. El módulo mod_auth_mellon anterior a 0.8.1 permite a atacantes remotos causar una denegación de servicio (caída del servidor Apache HTTP) a través de una petición de apagado del servicio Apache manipulada. It was found that uninitialized data could be accessed when processing a user's logout request. By attempting to ... • http://linux.oracle.com/errata/ELSA-2014-1803.html • CWE-399: Resource Management Errors •