Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Twisted vulnerable to NameVirtualHost Host header injection
Vulnerability Description
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)
Vulnerability Title
Twisted 跨站脚本漏洞
Vulnerability Description
Twisted是一款使用Python语言编写的事件驱动的开源网络引擎。 Twisted 0.9.4 版本到 22.10.0rc1 版本存在安全漏洞,该漏洞源于当主机标头与配置的主机不匹配时,“twisted.web.vhost.NameVirtualHost”将返回一个“NoResource”资源,该资源将主机标头未转义为 404 响应,从而允许 HTML 和脚本注入。
CVSS Information
N/A
Vulnerability Type
N/A