CVE-2020-4706

CWE-79Cross-site Scripting (XSS)CWE-20Improper Input Validation3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.0%
top 87.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM API Connect
Timeline
PublishedAug 17
Latest updateMay 24

Description

IBM API Connect 5.0.0.0 through 5.0.8.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 187194.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDibm/api_connect5.0.0.05.0.8.10
CVEListV5ibm/api_connect5.0.0.0, 5.0.8.10+1

🔴Vulnerability Details

2
GHSA
GHSA-hvpr-gj5q-6q5q: IBM API Connect 52022-05-24
CVEList
CVE-2020-4706: IBM API Connect 52021-08-17
CVE-2020-4706 (MEDIUM CVSS 5.4) | IBM API Connect 5.0.0.0 through 5.0 | cvebase.io