Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4721: Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection in rdiffweb

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.

CVE
Open in Source
#web#git#perl#ssh

Description

Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 
2) Add SSH key
3) Enter the name evil.com 
4) Due to lack of sanitisation , this might cause a hyperlink injection attack once email is triggered successfully on adding SSH key




# Impact

This issue allows an attacker to redirect victim to malicious website and cause a phishing attack

Related news

GHSA-83pm-7v48-5jp4: rdiffweb vulnerable to Special Element Injection

In rdiffweb prior to 2.5.5, lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE