Description

When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.

Remediation

Check References for details on how to fix this problem.

References

IIS HTTP Host Header Injection Vulnerability Fix | Beyond Security

Related Vulnerabilities

WordPress Plugin Duplicator-WordPress Migration Arbitrary File Download (1.3.26)

RoR Development Mode enabled

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Information Disclosure (1.8.11)

WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Multiple Vulnerabilities (3.7.0)

WordPress Plugin Organizer Multiple Cross-Site Scripting and Information Disclosure Vulnerabilities (1.2.1)

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration