In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter.

Published : 2018-12-03 19:29 Updated : 2019-02-05 14:24

CVSS Score More info
Score 4.3 / 10
Vendor Product Version URI
Metinfo Metinfo 6.1.3 cpe:/a:metinfo:metinfo:6.1.3
  1. Metinfo (1) Search CVE
    1. Metinfo (1) Search CVE
      1. 6.1.3


ID Name Description Links
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. CVE

History of changes

Date Event
2019-02-05 14:24
2018-12-03 19:29