HTTP Response Splitting

Les attaques HTTP Response Splitting utilisent une forme de vulnérabilité applicative, résultat de l'échec d'une application ou d'un environnement de correctement contrôler des valeurs d'entrée. Ce mode d'attaque peut-être utilisé pour effectuer des attaques cross-site scripting (XSS), des défacements inter-utilisateur, de l'empoisonnement de cache ou des exploits similaires.

Vulnérabilités récentes par scissions de sessions HTTP

12 Fév 2020

Vulnérabilité CVE-2020-6181 CVE Vulnerability

Publié par . Publié dans Http response splitting

Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability. (CVSS:5.0) (Last Update:2020-02-21)

10 Fév 2020

Vulnérabilité CVE-2019-19670 CVE Vulnerability

Publié par . Publié dans Http response splitting

A HTTP Response Splitting vulnerability was identified in the Web Settings Component of Web File Manager in Rumpus FTP Server 8.2.9.1. A successful exploit can result in stored XSS, website defacement, etc. via ExtraHTTPHeader to RAPR/WebSettingsGeneralSet.html. (CVSS:4.3) (Last Update:2020-02-11)

27 Jan 2020

Vulnérabilité CVE-2015-3154 CVE Vulnerability

Publié par . Publié dans Http response splitting

CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email. (CVSS:4.3) (Last Update:2020-01-30)

26 Déc 2019

Vulnérabilité CVE-2019-19389 CVE Vulnerability

Publié par . Publié dans Http response splitting

JetBrains Ktor framework before version 1.2.6 was vulnerable to HTTP Response Splitting. (CVSS:3.5) (Last Update:2020-08-24)

06 Déc 2019

Vulnérabilité CVE-2019-16771 CVE Vulnerability

Publié par . Publié dans Http response splitting

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking. (CVSS:5.0) (Last Update:2019-12-16)

26 Nov 2019

Vulnérabilité CVE-2019-16254 CVE Vulnerability

Publié par . Publié dans Http response splitting

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. (CVSS:5.0) (Last Update:2020-08-16)

25 Oct 2019

Vulnérabilité CVE-2019-4396 CVE Vulnerability

Publié par . Publié dans Http response splitting

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 162236. (CVSS:3.5) (Last Update:2020-08-24)

25 Oct 2019

Vulnérabilité CVE-2019-4461 CVE Vulnerability

Publié par . Publié dans Http response splitting

IBM Cloud Orchestrator 2.4 through 2.4.0.5 and 2.5 through 2.5.0.9 is vulnerable to HTTP Response Splitting caused by improper caching of content. This would allow the attacker to perform further attacks, such as Web Cache poisoning, cross-site scripting and possibly obtain sensitive information. IBM X-Force ID: 163682. (CVSS:3.5) (Last Update:2020-08-24)

HTTP Response Splitting

Vulnérabilités récentes par scissions de sessions HTTP

Vulnérabilité CVE-2020-6181 CVE Vulnerability

Vulnérabilité CVE-2019-19670 CVE Vulnerability

Vulnérabilité CVE-2015-3154 CVE Vulnerability

Vulnérabilité CVE-2019-19389 CVE Vulnerability

Vulnérabilité CVE-2019-16771 CVE Vulnerability

Vulnérabilité CVE-2019-16254 CVE Vulnerability

Vulnérabilité CVE-2019-4396 CVE Vulnerability

Vulnérabilité CVE-2019-4461 CVE Vulnerability

Pour nous Contacter

Newsletter Cybersécurité

Ressources Sécurité

Notre expertise cybersécurité validée par de multiples certifications internationales