Description

This web application is vulnerable to Email Header Injection. Email Header Injection is a security vulnerability that allows a malicious user to tamper with the email messages that are sent from the web application by injecting additional SMTP/IMAP headers. A malicious spammer could potentially use this tactic to send large numbers of messages anonymously.

Remediation

You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

References

Email Injection

PHP mail() Header Injection Through Subject and To Parameters

Related Vulnerabilities

Moodle Improper Input Validation Vulnerability (CVE-2012-1168)

GlassFish Improper Input Validation Vulnerability (CVE-2011-5035)

Python Improper Input Validation Vulnerability (CVE-2021-29921)

WordPress Improper Input Validation Vulnerability (CVE-2011-4957)

MongoDb Improper Input Validation Vulnerability (CVE-2018-25004)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality