Improper Neutralization of HTTP Headers for Scripting Syntax

CVE-2021-21265

High

7.5/10

Summary

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

References

Advisory Timeline

Published Mar 10, 2021

Improper Neutralization of HTTP Headers for Scripting Syntax

CVE-2021-21265

Summary

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

References

Advisory Timeline

OWASP ZAP

CuteBoi

Wireshark