|
|
Security Vulnerabilities Published
In 2017(Http Response Splitting)
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-12309 |
113 |
|
XSS Http R.Spl. |
2017-11-16 |
2017-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705. |
|
2 |
CVE-2017-7459 |
284 |
|
Http R.Spl. |
2017-06-26 |
2017-06-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ntopng before 3.0 allows HTTP Response Splitting. |
|
3 |
CVE-2017-7443 |
113 |
|
Http R.Spl. |
2017-04-05 |
2017-04-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression. |
|
4 |
CVE-2017-7320 |
79 |
|
DoS XSS Http R.Spl. |
2017-03-30 |
2017-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. |
|
5 |
CVE-2017-5868 |
93 |
|
Http R.Spl. |
2017-05-25 |
2017-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. |
|
6 |
CVE-2017-1503 |
79 |
|
XSS Http R.Spl. +Info |
2017-10-10 |
2017-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578. |
|
7 |
CVE-2017-1291 |
79 |
|
XSS Http R.Spl. +Info |
2017-05-26 |
2017-05-31 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 125152. |
|
8 |
CVE-2017-1262 |
113 |
|
XSS Http R.Spl. +Info |
2017-12-20 |
2018-01-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
IBM Security Guardium 10.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 124737. |
|
9 |
CVE-2016-8743 |
19 |
|
Http R.Spl. |
2017-07-27 |
2018-04-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. |
|
10 |
CVE-2016-6484 |
93 |
|
Http R.Spl. |
2017-01-23 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf. |
|
11 |
CVE-2014-9564 |
93 |
|
XSS Http R.Spl. +Info |
2017-08-25 |
2017-08-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware before 3.4.1110 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks and resulting web cache poisoning or cross-site scripting (XSS) attacks, or obtain sensitive information via multiple unspecified parameters. |
Total number of vulnerabilities : 11
Page :
1
(This Page)
|
|
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE's CVE web site.
CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE's CWE web site.
OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.
