Invalid Characters in HTTP Headers Can Lead to Cross-Site Scripting and Cache Poisoning Attacks
CVE-2024-1226

7.5HIGH

Key Information:

Vendor
Rejetto
Status
Http File Server
Vendor
CVE Published:
12 March 2024

Summary

The vulnerability arises due to the software's failure to properly neutralize certain characters prior to their inclusion in outgoing HTTP headers. This allows an attacker to manipulate the HTTP response received by the browser, leading to potential exploitation through cross-site scripting and cache poisoning attacks. Such capabilities can compromise the integrity and security of affected systems, making it imperative for users to apply the latest updates and patches to mitigate risks associated with this vulnerability.

Affected Version(s)

Http File Server 2.2a, build #124

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rafael Pedrero
.
CVE-2024-1226 : Invalid Characters in HTTP Headers Can Lead to Cross-Site Scripting and Cache Poisoning Attacks | SecurityVulnerability.io