HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable. Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to spoof the address bar via vectors involving authentication information in the userinfo field of a URL, in conjunction with a 204 (aka No Content) HTTP status code. This product uses data from the NVD API but is not endorsed or certified by the NVD. See NVD website for more information. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site . CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site . OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site . This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy . By using this web site you are agreeing to CVEdetails.com terms of use !