CVE-2014-9563

MEDIUM Year: 2014
CVSS v3 Score
4.9
Medium
CVSS v2 Score
4.0
Medium
Weakness Type
CWE-93
View all →

Vulnerability Description

CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the serial interface via the ssh-password parameter to page.cmd.

Related Vulnerabilities

CVE-2020-3246

MEDIUM
CVSS:4.7(Medium)

A vulnerability in the web server of Cisco Umbrella could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user of an affected service...

CWE-932020

CVE-2020-3561

MEDIUM
CVSS:4.7(Medium)

A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker...

CWE-932020

CVE-2017-18587

MEDIUM
CVSS:5.3(Medium)

An issue was discovered in the hyper crate before 0.9.18 for Rust. It mishandles newlines in headers.

CWE-932017

CVE-2018-12537

MEDIUM
CVSS:5.3(Medium)

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfilter...

CWE-932018

CVE-2023-26148

MEDIUM
CVSS:5.3(Medium)

All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) character...

CWE-932023

CVE-2024-45597

MEDIUM
CVSS:5.3(Medium)

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitr...

CWE-932024