Description
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Remediation
References
Related Vulnerabilities
WordPress Plugin Media Library Categories 'termid' Parameter SQL Injection (1.0.6)
WordPress Plugin Downloads Manager 'upload.php' Arbitrary File Upload (0.2)
WordPress Plugin TemplatesNext ToolKit Cross-Site Scripting (3.2.7)
WordPress Plugin Product Table by WBW Remote Code Execution (2.0.1)
WordPress Plugin Meow Gallery (+ Gallery Block) Security Bypass (4.1.9)