Luantq0

**Name of the Vulnerable Software and Affected Versions** microdot versions prior to 2.6.1 **Description** The `Response.set cookie()` function does not sanitize string arguments, failing to detect the `r ` sequence. This allows for HTTP response splitting and header injection attacks. For this to be exploited, an attacker must first compromise the client, such as through a Cross-Site Scripting (XSS) attack, to send malicious data that the server then stores in a cookie for the victim. This type of attack is limited to the specific infiltrated client. **Recommendations** Upgrade to version 2.6.1. As a temporary workaround, do not pass untrusted data to the `Response.set cookie()` function.