CVSS: 10.0EPSS: 21%CPEs: 1EXPL: 1CVE-2024-52875 – GFI Kerio Control 9.4.5 HTTP Response Splitting
https://notcve.org/view.php?id=CVE-2024-52875
17 Dec 2024 — An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade featu... • https://packetstorm.news/files/id/183183 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 5CVE-2019-16414 – GFI Kerio Control 9.3.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-16414
29 Sep 2019 — A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI. Una vulnerabilidad de tipo XSS basado en DOM en GFI Kerio Control versión v9.3.0, permite insertar código malicioso y manipular la página de inicio de sesión para enviar de vuelta las credenciales de la víctima en texto sin cifrar para un atacante por medio de un inicio de un URI sesión/?reason=failu... • https://packetstorm.news/files/id/154678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •