PT-2015-6832 · Kallithea · Kallithea

Gjoko Krstic

Published

2015-10-29

Updated

2022-05-13

CVE-2015-5285

CVSS v4.0

8.9

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Name of the Vulnerable Software and Affected Versions Kallithea versions prior to 0.3

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came from parameter to the admin/login API endpoint.

Recommendations For versions prior to 0.3, update to version 0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/login API endpoint to minimize the risk of exploitation. Avoid using the came from parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93

Related Identifiers

CVE-2015-5285

GHSA-VFG9-PHJP-9FRW

PYSEC-2015-13

Affected Products

Kallithea

PT-2015-6832 · Kallithea · Kallithea

CVE-2015-5285

Weakness Enumeration

Related Identifiers

Affected Products

References · 9