Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
CWE
:
Topic
Date
Author
Med.
Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery
27.03.2023
Rafael Pedrero
Low
SmarterStats 11.3.6347 Cross Site Scripting
02.10.2017
David Hoyt
High
Dropbear SSHD xauth Command Injection / Bypass
17.03.2016
dropbear
High
OpenSSH 7.2p1 xauth Command Injection / Bypass
16.03.2016
tintinweb
Low
NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities
08.03.2015
Wang Jing
CVEMAP Search Results
CVE
Details
Description
2024-09-10
CVE-2024-45597
Updating...
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.
2024-06-11
CVE-2024-33606
Updating...
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.
2024-05-22
CVE-2024-5193
Updating...
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
2024-03-12
CVE-2024-1226
Updating...
The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.
2023-11-03
CVE-2023-4767
Updating...
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.
CVE-2023-4768
Updating...
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.
2022-07-19
CVE-2022-31150
Updating...
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.
2022-02-18
Medium
CVE-2022-0666
Vendor:
Microweber
Software:
Microweber
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
2021-12-12
Medium
CVE-2021-4097
Vendor:
Phpservermonitor
Software:
Php server m...
phpservermon is vulnerable to Improper Neutralization of CRLF Sequences
2021-08-27
CVE-2021-39172
Updating...
Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.
Copyright
2024
, cxsecurity.com
Back to Top
