Description

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

Remediation

References

CVE-2016-3166

Related Vulnerabilities

MyBB Improper Privilege Management Vulnerability (CVE-2018-1000503)

WordPress Plugin User Domain Whitelist Multiple Vulnerabilities (1.4)

WordPress Plugin All Video Gallery 'vid' Parameter Multiple SQL Injection Vulnerabilities (1.1)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5739)

MySQL Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability (CVE-2010-2008)

Severity

Medium

Classification

CVE-2016-3166 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities