CVSS:9.8(Critical)
An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized...
CVSS:9.8(Critical)
A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The mani...
CVSS:8.8(High)
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not...
CVSS:8.8(High)
In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with th...
CVSS:8.8(High)
A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an atta...
CVSS:8.8(High)
A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V14), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V14), SIMATIC HMI KTP Mobile Panels KTP400F...
CVSS:8.8(High)
The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Head...
CVSS:8.8(High)
HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA ...
CVSS:8.6(High)
An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays ...
CVSS:8.1(High)
Trillium is a composable toolkit for building internet applications with async rust. In `trillium-http` prior to 0.3.12 and `trillium-client` prior to 0.5.4, insufficient validation of outbound header...
CVSS:8.1(High)
Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensiti...
CVSS:7.5(High)
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary d...
CVSS:7.5(High)
NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming reques...
CVSS:7.5(High)
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end...
CVSS:7.5(High)
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a...
CVSS:7.2(High)
HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.
CVSS:6.5(Medium)
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of val...
CVSS:6.5(Medium)
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject ma...
CVSS:6.5(Medium)
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the Expo...
CVSS:6.5(Medium)
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized da...
CVSS:6.5(Medium)
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using ca...
CVSS:6.3(Medium)
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Use...
CVSS:6.3(Medium)
The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request.
CVSS:6.1(Medium)
A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. T...