Description

When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.

Remediation

Check References for details on how to fix this problem.

References

IIS HTTP Host Header Injection Vulnerability Fix | Beyond Security

Related Vulnerabilities

Typo3 debug mode enabled

SAP Management Console get user list

WordPress Plugin WP e-Commerce Shop Styling Arbitrary File Download (2.5)

WordPress 3.0.4 Multiple Vulnerabilities (0.6.2 - 3.0.4)

Atlassian Confluence information disclosure

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration