4.3
CVE-2011-1398
- EPSS 10.17%
- Veröffentlicht 30.08.2012 22:55:02
- Zuletzt bearbeitet 16.06.2026 23:29:16
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 10.17% | 0.951 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
http://rhn.redhat.com/errata/RHSA-2013-1307.html
http://secunia.com/advisories/55078
http://www.ubuntu.com/usn/USN-1569-1
http://article.gmane.org/gmane.comp.php.devel/70584
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00006.html
http://openwall.com/lists/oss-security/2012/08/29/5
http://openwall.com/lists/oss-security/2012/09/05/15
http://security-tracker.debian.org/tracker/CVE-2011-1398
http://www.securitytracker.com/id?1027463
https://bugs.php.net/bug.php?id=60227