CVE-2020-26130
published 2020-10-28CVE-2020-26130: Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default…
PriorityP339high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.44%
35.1th percentile
Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_tftp_server_project | open_tftp_server | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8qj5-3c9x-p5q4: Issues were discovered in Open TFTP Server multithreaded 1
ghsa_unreviewed·2022-05-24
CVE-2020-26130 [HIGH] CWE-269 GHSA-8qj5-3c9x-p5q4: Issues were discovered in Open TFTP Server multithreaded 1
Issues were discovered in Open TFTP Server multithreaded 1.66 and Open TFTP Server single port 1.66. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the OpenTFTPServerMT.exe or the OpenTFTPServerSP.exe binary.
Red Hat
cpp-httplib: CRLF Injection
vendor_redhat·2023-05-30·CVSS 7.5
CVE-2023-26130 [HIGH] CWE-93 cpp-httplib: CRLF Injection
cpp-httplib: CRLF Injection
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
cpp-httplib before 0.12.4 is vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
Statement: No Red Hat product is affected by this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OffensiveOceloot/advisories/blob/main/CVE-2020-26130.mdhttps://github.com/an0ry/advisorieshttps://sourceforge.net/projects/tftp-server/https://github.com/OffensiveOceloot/advisories/blob/main/CVE-2020-26130.mdhttps://github.com/an0ry/advisorieshttps://sourceforge.net/projects/tftp-server/
2020-10-28
Published