Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
teler-waf subject to bypass of common web attack threat rule with HTML entities payload
Vulnerability Description
teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. The vulnerability exists due to teler-waf failure to properly sanitize and filter HTML entities in user input. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been fixed in version 0.1.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)
Vulnerability Title
teler-waf 跨站脚本漏洞
Vulnerability Description
teler-waf是一个 Go HTTP 中间件,它提供 teler IDS 功能以防止基于 Web 的攻击并提高基于 Go 的 Web 应用程序的安全性。它具有高度可配置性,易于集成到现有的 Go 应用程序中。 teler-waf 0.1.1 之前版本存在安全漏洞,该漏洞源于teler-waf 未能正确清理和过滤用户输入中的 HTML 实体,攻击者利用该漏洞可以绕过teler-waf中常见的Web攻击威胁规则,发起跨站脚本(XSS)攻击。
CVSS Information
N/A
Vulnerability Type
N/A