Description

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Remediation

References

CVE-2020-26116

Related Vulnerabilities

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9855)

Drupal Other Vulnerability (CVE-2022-25275)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-32244)

WordPress Plugin External Links-nofollow, noopener & new window Multiple Cross-Site Scripting Vulnerabilities (1.80)

WordPress Plugin Abandoned Cart Lite for WooCommerce SQL Injection (1.8)

Severity

High

Classification

CVE-2020-26116 CWE-116 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities