4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
61.4%
Package : fex
Version : 20100208+debian1-1+squeeze4
CVE ID : CVE-2014-3875 CVE-2014-3876 CVE-2014-3877
[CVE-2014-3875]
When inserting encoded newline characters into a request to rup,
additional HTTP headers can be injected into the reply, as well
as new HTML code on the top of the website.
[CVE-2014-3876]
The parameter akey is reflected unfiltered as part of the HTML
page. Some characters are forbidden in the GET parameter due
to filtering of the URL, but this can be circumvented by using
a POST parameter.
Nevertheless, this issue is exploitable via the GET parameter
alone, with some user interaction.
[CVE-2014-3877]
The parameter addto is reflected only slightly filtered back to
the user as part of the HTML page. Some characters are forbidden
in the GET parameter due to filtering of the URL, but this can
be circumvented by using a POST parameter. Nevertheless, this
issue is exploitable via the GET parameter alone, with some user
interaction.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 6 | all | fex-utils | < 20100208+debian1-1+squeeze4 | fex-utils_20100208+debian1-1+squeeze4_all.deb |
Debian | 6 | all | fex | < 20100208+debian1-1+squeeze4 | fex_20100208+debian1-1+squeeze4_all.deb |