CVE-2023-24975

IBM Spectrum Symphony 7.3 is vulnerable to HTTP header injection due to improper validation of the HOST header. This can enable attackers to perform attacks such as cross-site scripting, cache poisoning, or session hijacking. The issue is documented as CVE-2023-24975. According to IBM’s bulletin,...

CVE-2023-24975 IBM Spectrum Symphony HOST header injection

IBM Spectrum Symphony 7.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID...

PT-2023-19849 · Ibm · Ibm Spectrum Symphony

Name of the Vulnerable Software and Affected Versions: IBM Spectrum Symphony version 7.3 Description: The issue is caused by improper validation of input by the HOST headers, leading to HTTP header injection. This could allow an attacker to conduct various attacks against the vulnerable system,...

Internet Bug Bounty: Ruby's CGI library has HTTP response splitting (HTTP header injection), leaking confidential information

A vulnerability was found in Ruby's CGI library that allowed an attacker to inject a malicious HTTP response header and/or body if an application used untrusted user input to generate HTTP responses. The vulnerability was fixed in version 0.3.5, 0.2.2, and 0.1.0.2 of the cgi gem...

Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165)

Summary There is a vulnerabilty in IBM WebSphere Application Server Liberty used by IBM Planning Analytics and IBM Planning Analytics Workspace. The applicable CVE has been addressed in IBM Planning Analytics and Planning Analytics Workspace. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION...

K23134279: Node.js vulnerability CVE-2016-2216

Security Advisory Description The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters...

K23860356: TMM vulnerability CVE-2019-6660

Security Advisory Description iRules performing HTTP header manipulation may cause a denial-of-serviceDoS when processing traffic handled by a virtual server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs.CVE-2019-6660 Impact The...

K43709560: Apache Tomcat vulnerability CVE-2020-1935

Security Advisory Description In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat w...

K17189: Apache HTTP server vulnerability CVE-2008-0456

Security Advisory Description CRLF injection vulnerability in the modnegotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP...

K35040315: glibc vulnerability CVE-2016-10739

Security Advisory Description In the GNU C Library aka glibc or libc6 through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a...

CVE-2023-23936

A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. This issue could allow HTTP response splitting and HTTP header injection...

CVE-2022-47909

Livestatus Query Language LQL injection in the AuthUser HTTP query header of Tribe29's Checkmk = 2.1.0p11, Checkmk = 2.0.0p28, and all versions of Checkmk 1.6.0 EOL allows an attacker to perform direct queries to the application's core from localhost...

CVE-2022-36775

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, 10.0.3.0, and10.0.4.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting,...

Cross site scripting

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, 10.0.3.0, and10.0.4.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting,...

CVE-2022-36775

IBM Security Verify Access versions 10.0.0.0–10.0.4.0 are affected by an HTTP header injection due to improper HOST header validation. This can allow attacks such as cross-site scripting, cache poisoning, or session hijacking, as described in multiple sources. No exploitation details are provided...

CVE-2022-36775 IBM Security Verify Access HOST header injection

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, 10.0.3.0, and10.0.4.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting,...

SUSE-SU-2023:0442-1 Security update for rubygem-actionpack-4_2

This update for rubygem-actionpack-42 fixes the following issues: - CVE-2023-22795: Fixed possible ReDoS based DoS vulnerability in Action Dispatch via specially crafted HTTP header bsc1207451. - CVE-2023-22792: Fixed possible ReDoS based DoS vulnerability in Action Dispatch via specially crafted...

CRLF Injection in Nodejs ‘undici’ via host

Impact undici library does not protect host HTTP header from CRLF injection vulnerabilities. Patches This issue was patched in Undici v5.19.1. Workarounds Sanitize the headers.host string before passing to undici. References Reported at https://hackerone.com/reports/1820955. Credits Thank you to...

GHSA-5R9G-QH6M-JXFF CRLF Injection in Nodejs ‘undici’ via host

Impact undici library does not protect host HTTP header from CRLF injection vulnerabilities. Patches This issue was patched in Undici v5.19.1. Workarounds Sanitize the headers.host string before passing to undici. References Reported at https://hackerone.com/reports/1820955. Credits Thank you to...

CVE-2023-23936 CRLF Injection in Nodejs ‘undici’ via host

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to...