CWE:
 

Topic
Date
Author
Med.
Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery
27.03.2023
Rafael Pedrero
Low
SmarterStats 11.3.6347 Cross Site Scripting
02.10.2017
David Hoyt
High
Dropbear SSHD xauth Command Injection / Bypass
17.03.2016
dropbear
High
OpenSSH 7.2p1 xauth Command Injection / Bypass
16.03.2016
tintinweb
Low
NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities
08.03.2015
Wang Jing


CVEMAP Search Results

CVE
Details
Description
2024-09-10
Waiting for details
CVE-2024-45597

Updating...
 

 
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

 
2024-06-11
Waiting for details
CVE-2024-33606

Updating...
 

 
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.

 
2024-05-22
Waiting for details
CVE-2024-5193

Updating...
 

 
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

 
2024-03-12
Waiting for details
CVE-2024-1226

Updating...
 

 
The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.

 
2023-11-03
Waiting for details
CVE-2023-4767

Updating...
 

 
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

 
Waiting for details
CVE-2023-4768

Updating...
 

 
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

 
2022-07-19
Waiting for details
CVE-2022-31150

Updating...
 

 
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

 
2022-02-18
Medium
CVE-2022-0666

Vendor: Microweber
Software: Microweber
 

 
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

 
2021-12-12
Medium
CVE-2021-4097

Vendor: Phpservermonitor
Software: Php server m...
 

 
phpservermon is vulnerable to Improper Neutralization of CRLF Sequences

 
2021-08-27
Waiting for details
CVE-2021-39172

Updating...
 

 
Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

 

 


Copyright 2024, cxsecurity.com

 

Back to Top