CVEbaza.plSłownik CWECWE-644
Common Weakness Enumeration

CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax

Kategoria: VariantCVE: 56
Opis

Produkt nie neutralizuje lub nieprawidłowo neutralizuje składnię skryptów internetowych w nagłówkach HTTP, które mogą być wykorzystane przez komponenty przeglądarki internetowej zdolne do przetwarzania surowych nagłówków, takie jak Flash. Podatność ta pozwala atakującym na wykonanie nieautoryzowanego kodu poprzez manipulację nagłówkami HTTP.

Description (EN)

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Podatności CVE z CWE-644 (56)
10.0
CVSS
CRITICAL
CVE-2023-47143

IBM Tivoli Application Dependency Discovery Manager w wersjach 7.3.0.0–7.3.0.10 jest podatny na atak typu HTTP header injection poprzez nagłówek HOST. Podatność uzyskała najwyższy możliwy wynik CVSS 10.0, co oznacza krytyczne zagrożenie dla systemów, na których jest wdrożona.

pub. 2024-02-02
9.3
CVSS
CRITICAL
CVE-2025-70948

Podatność typu host header injection w komponencie mailer biblioteki @perfood/couch-auth v0.26.0 umożliwia atakującemu przechwycenie tokenu resetowania hasła i przejęcie konta użytkownika. Jest to krytyczna luka, ponieważ nie wymaga uwierzytelnienia ani żadnych specjalnych uprawnień.

pub. 2026-03-05
9.1
CVSS
CRITICAL
CVE-2026-26747

W aplikacji Monica 4.1.2 istnieje podatność typu Host Header Poisoning, umożliwiająca zdalnemu atakującemu podmianę domeny w linku do resetowania hasła wysyłanym do ofiary. Błąd wynika z nieprawidłowej obsługi nagłówka HTTP Host oraz domyślnej braku konfiguracji parametru 'app.force_url'.

pub. 2026-02-20
9.0
CVSS
CRITICAL
CVE-2026-33805

Podatność w bibliotekach @fastify/reply-from i @fastify/http-proxy umożliwia atakującemu selektywne usuwanie nagłówków dodanych przez proxy z żądań kierowanych do upstream. Jest to groźne, ponieważ pozwala obejść mechanizmy kontroli dostępu, routingu lub zabezpieczeń realizowane przez proxy poprzez manipulację wartością nagłówka Connection.

pub. 2026-04-15
8.8
CVSS
HIGH
CVE-2023-32465

Dell Power Protect Cyber Recovery, contains an Authentication Bypass vulnerability. An attacker could potentially exploit this vulnerability, leading to unauthorized admin access to the Cyber Recovery application. Exploitation may lead to complete system takeover by an attacker.

pub. 2023-06-14
8.8
CVSS
HIGH
CVE-2020-6982

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution.

pub. 2020-03-24
8.8
CVSS
HIGH
CVE-2017-6031

A Header Injection issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. An "improper neutralization of HTTP headers for scripting syntax" issue has been identified, which may allow remote code execution.

pub. 2017-05-06
8.7
CVSS
HIGH
CVE-2026-26234

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host header. Attackers can manipulate proxied requests to generate tainted responses, enabling cache poisoning, potential phishing, and redirecting users to malicious domains.

pub. 2026-02-12
8.5
CVSS
HIGH
CVE-2025-64425

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.

pub. 2026-01-05
8.5
CVSS
HIGH
CVE-2025-64484

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions prior to 7.13.0, all deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications). Authenticated users can inject underscore variants of X-Forwarded-* headers that bypass the proxy’s filtering logic, potentially escalating privileges in the upstream app. OAuth2 Proxy authentication/authorization itself is not compromised. The problem has been patched with v7.13.0. By default all specified headers will now be normalized, meaning that both capitalization and the use of underscores (_) versus dashes (-) will be ignored when matching headers to be stripped. For example, both `X-Forwarded-For` and `X_Forwarded-for` will now be treated as equivalent and stripped away. For those who have a rational that requires keeping a similar looking header and not stripping it, the maintainers introduced a new configuration field for Headers managed through the AlphaConfig called `InsecureSkipHeaderNormalization`. As a workaround, ensure filtering and processing logic in upstream services don't treat underscores and hyphens in Headers the same way.

pub. 2025-11-10
8.3
CVSS
HIGH
CVE-2024-10006

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

pub. 2024-10-30
8.2
CVSS
HIGH
CVE-2026-48126

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.

pub. 2026-05-26
8.1
CVSS
HIGH
CVE-2026-33149

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available.

pub. 2026-03-26
7.5
CVSS
HIGH
CVE-2024-1064

A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header

pub. 2024-02-03
7.4
CVSS
HIGH
CVE-2024-47549

Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to an affected product may cause malicious script executed on the web browser.

pub. 2024-10-25
7.2
CVSS
HIGH
CVE-2023-36921

SAP Solution Manager (Diagnostics agent) - version 7.20, allows an attacker to tamper with headers in a client request. This misleads SAP Diagnostics Agent to serve poisoned content to the server. On successful exploitation, the attacker can cause a limited impact on confidentiality and availability of the application.

pub. 2023-07-11
6.9
CVSS
MEDIUM
CVE-2026-55791

Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.

pub. 2026-07-02
6.9
CVSS
MEDIUM
CVE-2025-13803

A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header Handler. Such manipulation of the argument Host leads to improper neutralization of http headers for scripting syntax. The attack can be launched remotely.

pub. 2025-12-01
6.8
CVSS
MEDIUM
CVE-2021-21265

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

pub. 2021-03-10
6.5
CVSS
MEDIUM
CVE-2024-51454

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

pub. 2026-06-22
Pokazano 20 z 56 podatności
Informacje
ID: CWE-644
Typ: Variant
Podatności: 56
MITRE CWE ↗
← Słownik CWE