5 results (0.013 seconds)

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. El módulo CGI.pm antes de v3.63 para Perl no escapa correctamente saltos de línea en cabeceras (1) Set-Cookie o (2) P3P, lo que podría permitir a atacantes remotos inyectar cabeceras arbitrarias a las respuestas de las aplicaciones que utilizan CGI.pm. • http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 http://rhn.redhat.com/errata/RHSA-2013-0685.html http://secunia.com/advisories/51457 http://secunia.com/advisories/55314 http://www.debian.org/security/2012/dsa-2586 http://www.openwall.com/lists/oss-security/2012/11/15/6 http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016& • CWE-16: Configuration •

CVSS: 4.3EPSS: 0%CPEs: 155EXPL: 0

Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761. Vulnerabilidad sin especificar en CGI.pm 3.50 y anteriores. Permite a atacantes remotos inyectar cabeceras HTTP de su elección y realizar ataques de división de respuestas HTTP a través de vectores desconocidos. NOTA: esta vulnerabilidad existe debido a un parche incompleto de la CVE-2010-2761. • http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://openwall.com/lists/oss-security/2010/12/01/3 http://secunia.com/advisories/43033 http://secunia.com/advisories/43068 http://secunia.com/advisories/43165 http://www.bugzilla •

CVSS: 4.3EPSS: 0%CPEs: 174EXPL: 0

CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172. Vulnerabilidad de inyección CRLF (se refiere a CR (retorno de carro) y LF (salto de línea)) en la función header de (1) CGI.pm en versiones anteriores a la 3.50 y (2) Simple.pm de CGI::Simple 1.112 y versiones anteriores. Permite a atacantes remotos inyectar cabeceras HTTP y realizar un ataque de división de respuesta HTTP a través de vectores relacionados con caracteres que no son espacios en blanco precididos por caracteres de nueva línea. Una vulnerabilidad distinta a CVE-2010-2761 y CVE-2010-3172. • http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http: • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 0%CPEs: 174EXPL: 0

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. La función multipart_init de (1) CGI.pm en versiones anteriores a la 3.50 y (2) Simple.pm de CGI::Simple 1.112 y versiones anteriores usa un valor estático ("hardcoded") en la cadena de límite MIME en el contenido multipart/x-mixed-replace. Lo que permite a atacantes remotos inyectar cabeceras HTTP de su elección y realizar ataques de división de respuestas HTTP a través de una entrada modificada que contiene este valor. Una vulnerabilidad distinta a la CVE-2010-3172. • http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 1%CPEs: 23EXPL: 0

Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados en start_form() de CGI.pm permite a atacantes remotos insertar script web mediante una URL que es introducida en parámetro "action" del formulario. • http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000713 http://marc.info/?l=bugtraq&m=105880349328877&w=2 http://marc.info/?l=bugtraq&m=106018783704468&w=2 http://marc.info/?l=full-disclosure&m=105875211018698&w=2 http://secunia.com/advisories/13638 http://securitytracker.com/id? •