CVE-2024-20392

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

Published: May 15, 2024 / Updated: 6mo ago

Development Last Updated: 7/18/2024 CVEs: CVE-2024-20258 , CVE-2024-20392 , CVE-2024-20401 , CVE-2024-20256 , CVE-2024-20257 , CVE-2024-20383

Summary: A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device.This vulnerability is due to Read More... Summary: A vulnerability in the hardware-based SSL/TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated, remote attacker to cause an affected device Read More...

"The vulnerabilities reported in this Security Bulletin include 35 high-severity vulnerabilities and 2 critical-severity vulnerabilities which have been fixed in new versions of our products (Bamboo, Bitbucket, Confluence, Crowd, Jira, and Jira Service Management), released in the last month." # GitHub Enterprise Server maximum severity (CVSS v4 score: 10.0) authentication bypass # vulnerability CVE-2024-4985 allows attackers to forge a SAML response and gain administrator privileges, providing unrestricted access:

10Web Form Builder Team–Form Maker by 10Web Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Stored XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.24. 2024-05-14 5.9 CVE-2024-34437 [email protected] 1Panel-dev–1Panel 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts. 2024-05-14 6.5 CVE-2024-34352 [email protected] ABB–RobotWare 6 An attacker who successfully exploited these vulnerabilities could cause the robot to stop, make the robot controller inaccessible. The vulnerability could potentially be exploited to perform unauthorized actions by an attacker. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions.

Classification: Important, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 6.1, CVEs: CVE-2024-20392, CVE-2024-20256, CVE-2024-20257, CVE-2024-20258, Summary: A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. Also https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-bgG5WHOD Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Secure Email Gateway, formerly Email Security Appliance (ESA); and Secure Web Appliance could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.