Vulnerability Details : CVE-2007-5595
CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Exploit prediction scoring system (EPSS) score for CVE-2007-5595
Probability of exploitation activity in the next 30 days: 1.50%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2007-5595
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST |
CWE ids for CVE-2007-5595
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: nvd@nist.gov (Primary)
References for CVE-2007-5595
-
http://www.vupen.com/english/advisories/2007/3546
Third Party Advisory
-
http://www.securityfocus.com/bid/26119
Third Party Advisory;VDB Entry
-
http://drupal.org/node/184315
Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/37264
Third Party Advisory;VDB Entry
-
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html
Third Party Advisory
Products affected by CVE-2007-5595
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*