Julien Boulet

**Name of the Vulnerable Software and Affected Versions** OpenVPN Access Server version 2.1.4 **Description** A CRLF injection issue in the web interface allows remote attackers to inject arbitrary HTTP headers, potentially leading to session fixation attacks and HTTP response splitting attacks. This is achieved by including "%0A" characters in the PATH INFO to session start /. **Recommendations** For OpenVPN Access Server version 2.1.4, update to a newer version that contains a fix for this issue to prevent CRLF injection attacks. As a temporary workaround, consider restricting access to the session start / endpoint to minimize the risk of exploitation.