CVE-2023-38551

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-38551
CWE	https://cwe.mitre.org/data/definitions/93.html

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-38551

CWE

https://cwe.mitre.org/data/definitions/93.html

A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

Weakness

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Potential Mitigations

https://cwe.mitre.org/data/definitions/15.html
https://cwe.mitre.org/data/definitions/81.html

References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024
https://forums.ivanti.com/s/article/Security-Advisory-May-2024

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Weakness

Potential Mitigations

Related Attack Patterns

References