Shodan
Vulnerabilities
Vulnerable Software
Haxx:  >> Curl  >> 7.19.7-53  Security Vulnerabilities
CVE-2016-0755
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
CVSS Score
7.3
EPSS Score
0.009
Published
2016-01-29
CVE-2016-0754
cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
CVSS Score
5.3
EPSS Score
0.004
Published
2016-01-29
CVE-2015-3153
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
CVSS Score
5.0
EPSS Score
0.062
Published
2015-05-01
CVE-2014-3620
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
CVSS Score
5.0
EPSS Score
0.017
Published
2014-11-18
CVE-2014-3613
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVSS Score
5.0
EPSS Score
0.013
Published
2014-11-18
CVE-2013-1944
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
CVSS Score
5.0
EPSS Score
0.025
Published
2013-04-29
CVE-2011-3389
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CVSS Score
4.3
EPSS Score
0.054
Published
2011-09-06


Products
Pricing
Contact Us

Shodan ® - All rights reserved