"User input passed to these pages via the 'dest' GET parameter is not properly sanitized before being used to generate a 'Location' HTTP header in a 302 HTTP response," Romano said. "Specifically, the application does not correctly filter/remove line feed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which, in turn, might allow it to carry out reflected cross-site scripting (XSS) and possibly other attacks."
"The flaw impacts KerioControl versions 9.2.5 through 9.4.5, according to security researcher Egidio Romano, who discovered and reported the flaw in early November 2024."
"A fix for the vulnerability was released by GFI on December 19, 2024, with version 9.4.5 Patch 1. A proof-of-concept (PoC) exploit has since been made available."
#security-vulnerability #cve-2024-52875 #remote-code-execution #gfi-keriocontrol #cybersecurity-threats
Collection
[
|
...
]