Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-35507

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-04 Dec, 2022 | 00:00
Updated At-24 Apr, 2025 | 15:23
Rejected At-
Credits

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:04 Dec, 2022 | 00:00
Updated At:24 Apr, 2025 | 15:23
Rejected At:
▼CVE Numbering Authority (CNA)

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
N/A
https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
N/A
Hyperlink: https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
Resource: N/A
Hyperlink: https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
x_transferred
https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
x_transferred
Hyperlink: https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
Resource:
x_transferred
Hyperlink: https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-74CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Type: CWE
CWE ID: CWE-74
Description: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:04 Dec, 2022 | 19:15
Updated At:24 Apr, 2025 | 16:15

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CPE Matches
proxmox
proxmox
>>proxmox_mail_gateway>>-
cpe:2.3:a:proxmox:proxmox_mail_gateway:-:*:*:*:*:*:*:*
proxmox
proxmox
>>pve_http_server>>Versions before 4.1-3(exclusive)
cpe:2.3:a:proxmox:pve_http_server:*:*:*:*:*:*:*:*
proxmox
proxmox
>>virtual_environment>>-
cpe:2.3:a:proxmox:virtual_environment:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-74Primarynvd@nist.gov
CWE-74Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-74
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-74
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2cve@mitre.org
N/A
https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/cve@mitre.org
Exploit
Patch
Technical Description
Third Party Advisory
https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2af854a3a-2127-422b-91ae-364da2661108
N/A
https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/af854a3a-2127-422b-91ae-364da2661108
Exploit
Patch
Technical Description
Third Party Advisory
Hyperlink: https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
Source: cve@mitre.org
Resource:
Exploit
Patch
Technical Description
Third Party Advisory
Hyperlink: https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Patch
Technical Description
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

16Records found
CVE-2023-4478
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.67%
||
7 Day CHG~0.00%
Published-25 Aug, 2023 | 09:06
Updated-30 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Parameter tampering in the registration resulting in blocked accounts to be created

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-21743
Matching Score-4
Assigner-ZTE Corporation
ShareView Details
Matching Score-4
Assigner-ZTE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 57.53%
||
7 Day CHG~0.00%
Published-20 Oct, 2021 | 15:19
Updated-03 Aug, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.

Action-Not Available
Vendor-n/aZTE Corporation
Product-mf971rmf971r_firmwareMF971R
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2019-1680
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 49.94%
||
7 Day CHG~0.00%
Published-07 Feb, 2019 | 21:00
Updated-21 Nov, 2024 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Webex Business Suite Content Injection Vulnerability

A vulnerability in Cisco Webex Business Suite could allow an unauthenticated, remote attacker to inject arbitrary text into a user's browser. The vulnerability is due to improper validation of input. An attacker could exploit this vulnerability by convincing a targeted user to view a malicious URL. A successful exploit could allow the attacker to inject arbitrary text into the user's browser. The attacker could use the content injection to conduct spoofing attacks. Versions prior than 3.0.9 are affected.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-webex_business_suitewebex_meetings_onlineCisco Webex Business Suite
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2025-20216
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.06% / 17.63%
||
7 Day CHG~0.00%
Published-07 May, 2025 | 17:18
Updated-29 Jul, 2025 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Catalyst SD-WAN Manager Reflected HTML Injection Vulnerability

A vulnerability in the web interface of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an unauthenticated, remote attacker to inject HTML into the browser of an authenticated user. This vulnerability is due to improper sanitization of input to the web interface. An attacker could exploit this vulnerability by convincing an authenticated user to click a malicious link. A successful exploit could allow the attacker to inject HTML into the browser of an authenticated Cisco Catalyst SD-WAN Manager user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-28599
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.52% / 65.70%
||
7 Day CHG~0.00%
Published-13 Jun, 2023 | 16:55
Updated-02 Jan, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation.

Action-Not Available
Vendor-Zoom Communications, Inc.
Product-zoomZoom for LinuxZoom for WindowsZoom for AndroidZoom for macOSZoom for iOS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2016-8720
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-3.1||LOW
EPSS-1.18% / 77.88%
||
7 Day CHG~0.00%
Published-13 Apr, 2017 | 19:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response.

Action-Not Available
Vendor-Moxa Inc.
Product-awk-3131aawk-3131a_firmwareAWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2020-3246
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.16% / 37.48%
||
7 Day CHG~0.00%
Published-06 May, 2020 | 16:41
Updated-15 Nov, 2024 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Umbrella Carriage Return Line Feed Injection Vulnerability

A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service. The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. A successful exploit could allow the attacker to inject arbitrary HTTP headers into valid HTTP responses sent to the browser of the user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-umbrellaCisco Umbrella
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-4145
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.58%
||
7 Day CHG~0.00%
Published-05 Oct, 2023 | 12:34
Updated-03 Sep, 2024 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Content spoofing

A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-openshift_container_platformRed Hat OpenShift Container Platform 4openshift
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-3962
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.58%
||
7 Day CHG~0.00%
Published-23 Sep, 2023 | 19:00
Updated-03 Aug, 2024 | 01:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiali: error message spoofing in kiali ui

A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection when an error response is retrieved from the URL being accessed.

Action-Not Available
Vendor-kialiRed Hat, Inc.
Product-kialiopenshift_service_meshenterprise_linuxenterprise_linux_for_ibm_z_systemsenterprise_linux_for_power_little_endian_eusOpenShift Service Mesh 2.1Red Hat OpenShift Service Mesh 2.3 for RHEL 8
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-46786
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.49%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:42
Updated-14 May, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zoom Workplace Apps - Improper Neutralization of Special Elements

Improper neutralization of special elements in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access.

Action-Not Available
Vendor-Zoom Communications, Inc.
Product-Zoom Workplace Apps
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-4188
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.73%
||
7 Day CHG~0.00%
Published-29 Nov, 2022 | 00:00
Updated-03 Aug, 2024 | 01:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Google LLC
Product-chromeandroidChrome
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2025-24374
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.54%
||
7 Day CHG~0.00%
Published-29 Jan, 2025 | 15:22
Updated-29 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Twig fixes a security issue where escaping was missing when using null coalesce operator (??)

Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.

Action-Not Available
Vendor-twigphp
Product-Twig
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2020-15011
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-1.09% / 77.00%
||
7 Day CHG~0.00%
Published-24 Jun, 2020 | 11:34
Updated-04 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page.

Action-Not Available
Vendor-n/aGNUCanonical Ltd.Debian GNU/Linux
Product-mailmanubuntu_linuxdebian_linuxn/a
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-1074
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.64%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 05:50
Updated-15 Apr, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TEM FLEX-1085 injection

A vulnerability has been found in TEM FLEX-1085 1.6.0 and classified as problematic. Using the input <h1>HTML Injection</h1> in the WiFi settings of the dashboard leads to html injection.

Action-Not Available
Vendor-temTEM
Product-flex-1085_firmwareflex-1085FLEX-1085
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-28234
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.70% / 71.08%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 13:59
Updated-02 Jan, 2025 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.

Action-Not Available
Vendor-Contao Association
Product-contaocontao
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2021-21580
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.3||MEDIUM
EPSS-0.48% / 63.91%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 15:30
Updated-16 Sep, 2024 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate.

Action-Not Available
Vendor-Dell Inc.
Product-emc_idrac8_firmwareemc_idrac9_firmwareIntegrated Dell Remote Access Controller (iDRAC)
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Details not found