Tepel-Chen

**Name of the Vulnerable Software and Affected Versions** hackney versions 0 through 4.0.0 **Description** Improper Neutralization of CRLF Sequences allows HTTP Request Splitting. The software fails to percent-encode carriage return (`r`) or line feed (` `) characters in the URL query component before constructing the HTTP/1.1 request target. Specifically, the `hackney url:make url/3` function passes the query binary directly without validation or escaping, violating RFC 3986 Section 3.4. An attacker controlling part of a URL can inject raw CRLF sequences into the query string, enabling the injection of arbitrary HTTP headers or the splitting of the HTTP request. **Recommendations** Update to version 4.0.1.

**Name of the Vulnerable Software and Affected Versions** Frappe versions prior to 16.11.0 and 15.102.0 **Description** A flaw exists in Frappe that allows an attacker to inject malicious code through a crafted image URL. This can lead to Cross-Site Scripting (XSS) when a user’s avatar is displayed. The issue can be triggered for other users through website page comments. **Recommendations** Update to version 16.11.0 or later. Update to version 15.102.0 or later.