CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Http Response Splitting)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-3166 Http R.Spl. 2016-04-12 2016-04-12
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
2 CVE-2016-2303 Http R.Spl. 2016-04-21 2016-04-27
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
3 CVE-2016-2216 20 Http R.Spl. Bypass 2016-04-07 2016-04-11
4.3
None Remote Medium Not required None Partial None
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
4 CVE-2016-1900 XSS Http R.Spl. 2016-01-20 2016-06-07
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the cgit_print_http_headers function in ui-shared.c in CGit before 0.12 allows remote attackers with permission to write to a repository to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via newline characters in a filename.
5 CVE-2016-1899 XSS Http R.Spl. 2016-01-20 2016-06-07
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c.
6 CVE-2016-1133 Http R.Spl. 2016-01-16 2016-01-21
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI.
7 CVE-2016-0902 Http R.Spl. 2016-05-07 2016-05-09
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
8 CVE-2016-0789 20 Http R.Spl. 2016-04-07 2016-07-14
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
9 CVE-2016-0400 Http R.Spl. 2016-07-02 2016-07-06
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3, 7.1.1 before 7.1.1.1, 8.5 before 8.5.0.3, and 8.6 before 8.6.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
10 CVE-2016-0359 Http R.Spl. 2016-07-03 2016-07-06
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
11 CVE-2015-8852 Http R.Spl. 2016-04-25 2016-05-06
5.0
None Remote Low Not required None Partial None
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
12 CVE-2015-5285 Http R.Spl. 2015-10-29 2015-10-30
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.
13 CVE-2015-5245 Http R.Spl. 2015-12-03 2015-12-04
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw or RGW) in Ceph before 0.94.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name.
14 CVE-2015-5144 20 Http R.Spl. 2015-07-14 2015-07-15
4.3
None Remote Medium Not required None Partial None
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
15 CVE-2015-2028 Http R.Spl. 2015-10-03 2015-10-05
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
16 CVE-2015-2017 Http R.Spl. 2015-11-08 2015-11-09
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
17 CVE-2015-0881 Http R.Spl. 2015-02-20 2015-03-04
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response.
18 CVE-2015-0770 20 Http R.Spl. 2015-06-07 2015-06-08
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Cisco TelePresence TC 6.x before 6.3.4 and 7.x before 7.3.3 on Integrator C SX20 devices allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL, aka Bug ID CSCut79341.
19 CVE-2015-0733 XSS Http R.Spl. 2015-05-30 2015-06-02
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the HTTP Header Handler in Digital Broadband Delivery System in Cisco Headend System Release allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks, via a crafted request, aka Bug ID CSCur25580.
20 CVE-2015-0196 Http R.Spl. 2015-06-29 2015-06-29
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 before 7.0.0.8 Cumulative iFix 2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
21 CVE-2014-9650 Http R.Spl. 2015-01-27 2015-01-29
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions.
22 CVE-2014-8150 Http R.Spl. 2015-01-15 2015-10-22
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
23 CVE-2014-6151 20 Http R.Spl. 2014-10-25 2015-11-04
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
24 CVE-2014-4803 Http R.Spl. 2015-02-12 2015-02-17
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in the Universal Access implementation in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix007, and 6.0.5 before 6.0.5.5 iFix003, when WebSphere Application Server is not used, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via an unspecified parameter.
25 CVE-2014-3427 Http R.Spl. 2014-07-16 2015-07-31
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Yealink VoIP Phones with firmware 28.72.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the model parameter to servlet.
26 CVE-2014-3069 Http R.Spl. 2014-08-11 2015-12-03
3.5
None Remote Medium Single system None Partial None
Multiple CRLF injection vulnerabilities in the Universal Access component in IBM Curam Social Program Management (SPM) 6.0.5.5, when WebSphere Application Server is not used, allow remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified parameters.
27 CVE-2014-3026 Http R.Spl. 2014-07-29 2014-07-30
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in IBM Maximo Asset Management 7.5 through 7.5.0.6, and 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
28 CVE-2014-3012 Http R.Spl. 2014-06-18 2014-06-21
3.5
None Remote Medium Single system None Partial None
Multiple CRLF injection vulnerabilities in IBM Curam Social Program Management 5.2 SP1 through 6.0.5.4 allow remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified parameters to custom JSPs.
29 CVE-2014-1956 Http R.Spl. 2014-04-30 2014-07-18
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
30 CVE-2014-1406 20 Http R.Spl. 2014-01-10 2014-01-10
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in goform/formWlSiteSurvey on the Conceptronic C54APM access point with runtime code 1.26 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the submit-url parameter in a Refresh action.
31 CVE-2013-6009 94 Http R.Spl. 2013-10-03 2013-10-04
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/defer servlet.
32 CVE-2013-3998 94 Http R.Spl. 2014-03-26 2014-03-26
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in the Web Application Enterprise Console in IBM InfoSphere BigInsights 1.1 and 2.x before 2.1 FP2 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
33 CVE-2013-3373 94 Http R.Spl. 2013-08-23 2013-08-26
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.
34 CVE-2013-2950 94 Http R.Spl. 2013-06-03 2013-06-04
3.5
None Remote Medium Single system None Partial None
CRLF injection vulnerability in IBM WebSphere Portal 6.1.0.x before 6.1.0.3 CF26, 6.1.5.x before 6.1.5 CF26, 7.0.0.x before 7.0.0.2 CF21, and 8.0.0.x through 8.0.0.1 CF5, when home substitution (aka uri.home.substitution) is enabled, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
35 CVE-2013-2652 79 XSS Http R.Spl. 2013-11-02 2013-11-21
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in help/help_language.php in WebCollab 3.30 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the item parameter.
36 CVE-2013-1869 20 XSS Http R.Spl. 2014-04-01 2014-04-01
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 5.6 allows remote attackers to inject arbitrary HTTP headers, and conduct HTTP response splitting attacks and cross-site scripting (XSS) attacks, via the return_url parameter.
37 CVE-2013-1647 94 Http R.Spl. 2013-09-05 2013-09-26
5.0
None Remote Low Not required None Partial None
Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs.
38 CVE-2013-0670 20 Http R.Spl. 2013-03-21 2013-03-22
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the HMI web application in Siemens WinCC (TIA Portal) 11 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
39 CVE-2012-6072 20 Http R.Spl. 2013-02-24 2016-07-15
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
40 CVE-2012-5572 20 Http R.Spl. 2014-05-30 2014-06-24
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in the cookie method (lib/Dancer/Cookie.pm) in Dancer before 1.3114 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a cookie name, a different vulnerability than CVE-2012-5526.
41 CVE-2012-5057 Http R.Spl. 2014-06-04 2014-06-04
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.
42 CVE-2012-4388 20 Http R.Spl. Bypass 2012-09-07 2013-09-11
4.3
None Remote Medium Not required None Partial None
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
43 CVE-2012-4023 20 Http R.Spl. 2012-11-08 2013-02-02
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in Pebble before 2.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
44 CVE-2012-3333 Http R.Spl. 2014-05-26 2014-05-27
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter in a URL.
45 CVE-2012-3301 20 Http R.Spl. 2012-08-21 2012-08-21
4.3
None Remote Medium Not required None Partial None
Multiple CRLF injection vulnerabilities in the HTTP server in IBM Lotus Domino 8.5.x before 8.5.4 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input involving (1) Mozilla Firefox 3.0.9 and earlier or (2) unspecified browsers.
46 CVE-2012-2943 1 Http R.Spl. 2012-05-27 2012-05-29
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in cryptographp.inc.php in Cryptographp allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the cfg parameter.
47 CVE-2012-2374 20 Http R.Spl. 2012-05-23 2012-09-04
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.
48 CVE-2012-2041 94 Http R.Spl. 2012-06-13 2012-06-13
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the Component Browser in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
49 CVE-2012-0310 94 Http R.Spl. 2012-01-12 2012-01-30
5.8
None Remote Medium Not required None Partial Partial
CRLF injection vulnerability in Cogent DataHub 7.1.2 and earlier, Cascade DataHub 6.4.20 and earlier, and OPC DataHub 6.4.20 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
50 CVE-2011-4586 Http R.Spl. 2012-07-20 2012-07-20
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Total number of vulnerabilities : 136   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.