CVE-2024-1226

The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. The inclusion of invalidated data in an HTTP header allows an attacker to specify the full HTTP response represented by the browser. An attacker could control the response and craft attacks such as cross-site scripting and cache poisoning attacks.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server

Configurations

No configuration.

History

21 Nov 2024, 08:50

Type	Values Removed	Values Added
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rejettos-http-file-server -
Summary		(es) El software no neutraliza o neutraliza incorrectamente ciertos caracteres antes de que los datos se incluyan en los encabezados HTTP salientes. La inclusión de datos invalidados en un encabezado HTTP permite a un atacante especificar la respuesta HTTP completa representada por el navegador. Un atacante podría controlar la respuesta y crear ataques como Cross Site Scripting y ataques de envenenamiento de caché.

12 Mar 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-12 15:15

Updated : 2024-11-21 08:50

NVD link : CVE-2024-1226

Mitre link : CVE-2024-1226

CVE.ORG link : CVE-2024-1226

JSON object : View

Products Affected

No product.

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

7.5 /10