yaws · threatengine.sh

CVE-2020-24916

>= 1.81 and <= 2.0.7

CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.

9.8CRITICAL

CVE-2020-24379

>= 1.81 and <= 2.0.7

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

9.8CRITICAL

CVE-2020-12872

>= 2.0.2 and <= 2.0.6

yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks,

5.5MEDIUM

CVE-2016-1000108

< 2.0.4

yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI appli

6.1MEDIUM

CVE-2011-4350

all versions

Yaws 1.91 has a directory traversal vulnerability in the way certain URLs are processed. A remote authenticated user could use thi

6.5MEDIUM

CVE-2017-10974

all versions

Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080. NOTE: this CVE is

7.5HIGH

CVE-2011-5025

all versions

Multiple cross-site scripting (XSS) vulnerabilities in the wiki application in Yaws 1.88 allow remote attackers to inject arbitrar

CVE-2010-4181

all versions

Directory traversal vulnerability in Yaws 1.89 allows remote attackers to read arbitrary files via ..\ (dot dot backslash) and oth

CVE-2009-4495

all versions

Yaws 1.85 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a wi

CVE-2009-0751

<= 1.79

Yaws before 1.80 allows remote attackers to cause a denial of service (memory consumption and crash) via a request with a large nu

CVE-2005-2008

all versions

Yaws Webserver 1.55 and earlier allows remote attackers to obtain the source code for yaws scripts via a request to a yaw script w