cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248).
cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224).
cPanel before 67.9999.103 allows SQL injection during eximstats processing (SEC-276).
cPanel before 66.0.1 does not reliably perform suspend/unsuspend operations on accounts (CPANEL-13941).
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247).
In cPanel before 96.0.13, scripts/fix-cpanel-perl mishandles the creation of temporary files (SEC-586).
cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled.
cPanel before 92.0.9 allows a Reseller to bypass the suspension lock (SEC-578).
cPanel before 82.0.2 allows unauthenticated file creation because Exim log parsing is mishandled (SEC-507).
cPanel before 80.0.5 allows demo accounts to modify arbitrary files via the extractfile API1 call (SEC-496).
cPanel before 78.0.2 does not properly restrict demo accounts from writing to files via the DCV UAPI (SEC-473).
cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416).
cPanel before 88.0.3 allows attackers to bypass the SMTP greylisting protection mechanism (SEC-491).
cPanel before 60.0.15 does not ensure that system accounts lack a valid password, so that logins are impossible (CPANEL-9559).
cPanel before 84.0.20 allows attackers to bypass intended restrictions on features and demo accounts via WebDisk UAPI calls (SEC-541).
cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557).
cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223).
The email quota cache in cPanel before 90.0.10 allows overwriting of files.
cPanel before 92.0.9 allows a MySQL user (who has an old-style password hash) to bypass suspension (SEC-579).
An issue was discovered in the hyper crate before 0.9.18 for Rust. It mishandles newlines in headers.
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.
A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce.
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CRLF injection vulnerability in Cisco TelePresence TC 6.x before 6.3.4 and 7.x before 7.3.3 on Integrator C SX20 devices allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL, aka Bug ID CSCut79341.