CVE-2021-43106

{"id": "CVE-2021-43106", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-02-14T20:15:08.777", "references": [{"url": "https://github.com/IthacaLabs/CompassPlus/tree/main/TranzWare%20Online%20FIMI_Version%204.2.19.4%2025_HHI", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de Inyecci\u00f3n de Encabezado en Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) versi\u00f3n 5.3.33.3 F38 y FIMI versi\u00f3n 4.2.19.4 25. El encabezado HTTP del host puede ser manipulada y causar a la aplicaci\u00f3n comportarse de manera no esperada. Cualquier cambio realizado en el encabezado s\u00f3lo causar\u00eda que la petici\u00f3n se enviara a una direcci\u00f3n de dominio/IP completamente diferente. Esto es debido a que el servidor conf\u00eda impl\u00edcitamente en el encabezado Host, y no la comprueba ni la escapa apropiadamente. Un atacante puede usar esta entrada para redirigir a usuarios objetivo a un dominio/p\u00e1gina web maliciosa. Esto resultar\u00eda en la ampliaci\u00f3n de la posibilidad de nuevos ataques y acciones maliciosas"}], "lastModified": "2022-02-23T02:01:08.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:compassplus:tranzware_online:5.3.33.3_f38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "56847680-FDA6-48CD-B65D-A74B1DAE4BF3"}, {"criteria": "cpe:2.3:a:compassplus:tranzware_online_financial_institution_maintenance_interface:4.2.19.4.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B193BAED-9568-4CEE-83DC-C8F4DE4768B6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}