CVE-2020-6858

Published: Mar 12, 2020Modified: Jun 17, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Hotels Styx through 1.0.0.beta8 allows HTTP response splitting due to CRLF Injection. This is exploitable if untrusted user input can appear in a response header.

Affected (9)

Products: Hotels: Styx

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Hotels Styx	Up to 0.7.10
Hotels Styx	Version 1.0.0 beta1
Hotels Styx	Version 1.0.0 beta2
Hotels Styx	Version 1.0.0 beta3
Hotels Styx	Version 1.0.0 beta4
Hotels Styx	Version 1.0.0 beta5
Hotels Styx	Version 1.0.0 beta6
Hotels Styx	Version 1.0.0 beta7
Hotels Styx	Version 1.0.0 beta9

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://github.com/HotelsDotCom/styx/security/advisories/GHSA-6v7p-v754-j89v

Source: cve@mitre.org

ExploitThird Party Advisory

https://twitter.com/JLLeitschuh

Source: cve@mitre.org

Third Party Advisory

https://github.com/HotelsDotCom/styx/security/advisories/GHSA-6v7p-v754-j89v

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://twitter.com/JLLeitschuh

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.