Header injection in TypeSetter CMS

#VU10580 Header injection in TypeSetter CMS

Published: 2018-02-15

Vulnerability identifier: #VU10580

Vulnerability risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-6889

CWE-ID: CWE-113

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TypeSetter CMS
Client/Desktop applications / Software for system administration

Vendor: TypeSetter CMS

Description
The vulnerability allows a remote attacker to perform HTTP header injection attack or even trigger arbitrary user re-direction on the target system.

The vulnerability is caused by improper validation of input. A remote attacker can inject arbitrary HTTP headers and conduct various attacks, including cross-site scripting, cache poisoning or session hijacking.

Mitigation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

TypeSetter CMS: 5.1

External links
http://securitywarrior9.blogspot.in/2018/02/host-header-injection-type-setter-cms-51.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Typesetter CMS