This page lists publicly disclosed CVE vulnerabilities affecting uninett mod_auth_mellon (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-3639 | A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity. | [email protected] | 6.1 | 0.16% | 2022-08-22 | 2024-11-21 |
| CVE-2017-6807 | mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site. | [email protected] | 6.1 | 0.36% | 2017-03-13 | 2026-05-13 |
| CVE-2016-2146 | The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data. | [email protected] | 7.5 | 0.65% | 2016-04-15 | 2026-05-06 |
| CVE-2016-2145 | The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data. | [email protected] | 7.5 | 0.80% | 2016-04-15 | 2026-05-06 |
| CVE-2014-8566 | The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory." | [email protected] | 6.4 | 0.94% | 2014-11-15 | 2026-05-06 |
| CVE-2014-8567 | The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data. | [email protected] | 9.4 | 3.60% | 2014-11-14 | 2026-05-06 |