Description

One of the scans performed by Acunetix has generated an Email Header Injection Alert. This caused an email to be sent from your website to the Acunetix AcuMonitor Service.

Remediation

You need to restrict CR(0x13) and LF(0x10) from the user input. Check references for more information about fixing this vulnerability.

References

Email Injection

PHP mail() Header Injection Through Subject and To Parameters

Related Vulnerabilities

Moodle Improper Input Validation Vulnerability (CVE-2022-35649)

XSLT injection

PHP unserialize() used on user input

MediaWiki Improper Input Validation Vulnerability (CVE-2020-35477)

PHP mail function ASCII control character header spoofing vulnerability

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Acumonitor