CVE-2015-1445 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Affected Products (NVD)

Vendor	Product	Version
fli4l	fli4l	𝑥 ≤ 3.10.0
fli4l	fli4l	4.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

http://seclists.org/oss-sec/2015/q1/376

http://www.fli4l.de/fileadmin/fli4l/security/advisory-FFL-1113.txt

http://www.openwall.com/lists/oss-security/2015/02/01/5

http://seclists.org/oss-sec/2015/q1/376

http://www.fli4l.de/fileadmin/fli4l/security/advisory-FFL-1113.txt

http://www.openwall.com/lists/oss-security/2015/02/01/5