彙總 boa 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 輸入驗證問題、SQL 注入、路徑處理缺陷與緩衝區溢位,在 生產負載與軟體部署 使用場景中可能帶來 記憶體損壞、檔案覆寫與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2022-45956 | Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism. | [email protected] | 5.3 | 0.35% | 2022-12-12 | 2025-04-22 |
| CVE-2022-44117 | Boa 0.94.14rc21 is vulnerable to SQL Injection via username. NOTE: the is disputed by multiple third parties because Boa does not ship with any support for SQL. | [email protected] | 9.8 | 0.26% | 2022-11-23 | 2024-11-21 |
| CVE-2021-33558 | Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE: multiple third parties report that this is a site-specific issue because those files are not part of Boa. | [email protected] | 7.5 | 82.89% | 2021-05-27 | 2024-11-21 |
| CVE-2018-21028 | Boa through 0.94.14rc21 allows remote attackers to trigger a memory leak because of missing calls to the free function. | [email protected] | 7.5 | 0.58% | 2019-10-11 | 2024-11-21 |
| CVE-2018-21027 | Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-memory (OOM) condition because malloc is mishandled. | [email protected] | 9.8 | 0.75% | 2019-10-11 | 2024-11-21 |
| CVE-2017-9833 | /cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable. | [email protected] | 7.5 | 84.53% | 2017-06-24 | 2026-05-13 |
| CVE-2016-9564 | Buffer overflow in send_redirect() in Boa Webserver 0.92r allows remote attackers to DoS via an HTTP GET request requesting a long URI with only '/' and '.' characters. | [email protected] | 7.5 | 0.62% | 2016-11-30 | 2026-05-06 |
| CVE-2009-4496 | Boa 0.94.14rc21 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. | [email protected] | 5.0 | 10.43% | 2010-01-13 | 2026-04-23 |
| CVE-2007-4915 | The Intersil isl3893 extensions for Boa 0.93.15, as used on the FreeLan RO80211G-AP and other devices, do not prevent stack writes from entering memory locations used for string constants, which allows remote attackers to change the admin password stored in memory via a long username in an HTTP Basic Authentication request. | [email protected] | 10.0 | 82.49% | 2007-09-17 | 2026-04-23 |
| CVE-2000-0920 | Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "." | [email protected] | 5.0 | 6.56% | 2000-12-19 | 2026-04-16 |