Code Injection in WebSphere Portal - CVE-2013-2950
Published: June 4, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42821
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-2950
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: IBM Corporation
Affected software:
WebSphere Portal
WebSphere Portal
Detailed vulnerability description
The vulnerability allows a remote #AU# to manipulate data.
CRLF injection vulnerability in IBM WebSphere Portal 6.1.0.x before 6.1.0.3 CF26, 6.1.5.x before 6.1.5 CF26, 7.0.0.x before 7.0.0.2 CF21, and 8.0.0.x through 8.0.0.1 CF5, when home substitution (aka uri.home.substitution) is enabled, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
How to mitigate CVE-2013-2950
Install update from vendor's website.