CyberSec.Space Logo
Back to CVE Browser

CVE-2018-3774

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1780%
EPSS Percentile36.43th
PublishedAug 12, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Affected Platforms (CPE)

πŸ’»
Url Parse Project

Url Parse

< 1.4.3

References & Advisories

πŸ”— https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
πŸ”— https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
πŸ”— https://hackerone.com/reports/384029
πŸ”— https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
πŸ”— https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
πŸ”— https://hackerone.com/reports/384029

Related Vulnerabilities

CVE-2021-2732910.0

Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.

CVE-2006-118910.0

Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via ...

CVE-2018-390710.0

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Fi...

CVE-2008-001610.0

Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allow...