CWE:
 

Topic
Date
Author
Low
SmarterStats 11.3.6347 Cross Site Scripting
02.10.2017
David Hoyt
High
Dropbear SSHD xauth Command Injection / Bypass
17.03.2016
dropbear
High
OpenSSH 7.2p1 xauth Command Injection / Bypass
16.03.2016
tintinweb
Low
NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities
08.03.2015
Wang Jing


CVEMAP Search Results

CVE
Details
Description
2019-05-17
Medium
CVE-2018-19585

Vendor: Gitlab
Software: Gitlab
 

 
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.

 
2019-04-30
Low
CVE-2019-10272

Vendor: Weaver
Software: E-cology
 

 
An issue was discovered in Weaver e-cology 9.0. There is a CRLF Injection vulnerability via the /workflow/request/ViewRequestForwardSPA.jsp isintervenor parameter, as demonstrated by the %0aSet-cookie: substring.

 
2019-03-31
Medium
CVE-2019-10678

Vendor: Domoticz
Software: Domoticz
 

 
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

 
2019-03-23
Low
CVE-2019-9947

Vendor: Python
Software: Python
 

 
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.

 
2019-03-13
Low
CVE-2019-9741

Vendor: Golang
Software: GO
 

 
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

 
2019-03-12
Low
CVE-2019-9740

Vendor: Python
Software: Python
 

 
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.

 
2019-02-03
Medium
CVE-2019-7313

Updating...
 

 
www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

 
2019-01-24
Low
CVE-2019-6802

Vendor: Python
Software: Pypiserver
 

 
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI.

 
2018-10-09
Medium
CVE-2018-12477

Vendor: Opensuse
Software: Opensuse leap
 

 
A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce.

 
2018-08-22
Low
CVE-2017-7528

Vendor: Redhat
Software: Ansible tower
 

 
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

 

 


Copyright 2019, cxsecurity.com

 

Back to Top