PT-2015-6832 · Kallithea · Kallithea

Gjoko Krstic

Publicado

2015-10-29

Atualizado

2022-05-13

CVE-2015-5285

CVSS v4.0

8.9

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Name of the Vulnerable Software and Affected Versions Kallithea versions prior to 0.3

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came from parameter to the admin/login API endpoint.

Recommendations For versions prior to 0.3, update to version 0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/login API endpoint to minimize the risk of exploitation. Avoid using the came from parameter in the affected API endpoint until the issue is resolved.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-93

Identificadores relacionados

CVE-2015-5285

GHSA-VFG9-PHJP-9FRW

PYSEC-2015-13

Produtos afetados

Kallithea

PT-2015-6832 · Kallithea · Kallithea

CVE-2015-5285

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9