Posted by Gsunde Orangen on Apr 08

Thanks, Matthew, for having spotted this.
As only current versions of Appweb (4 & 5) have been addressed so far,
but legacy versions (see http://embedthis.com/appweb/download.html) were
not mentioned yet in https://github.com/embedthis/appweb/issues/413 :

– Appweb V3: vulnerable, too
— Source code audit on Appweb 3.4.2:
The vulnerable code is not in the parseRange() function in
paks/http/httpLib.c, but similarly in http/request.c
–…