CVE-2021-43106

Published: Feb 14, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions.

Affected (2)

Products: Compassplus: Tranzware Online, Tranzware Online Financial Institution Maintenance Interface

2 products

Tranzware Online

Tranzware Online Financial Institution Maintenance Interface

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Compassplus Tranzware Online	Version 5.3.33.3_f38
Compassplus Tranzware Online Financial Institution Maintenance Interface	Version 4.2.19.4.25

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://github.com/IthacaLabs/CompassPlus/tree/main/TranzWare%20Online%20FIMI_Version%204.2.19.4%2025_HHI

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/IthacaLabs/CompassPlus/tree/main/TranzWare%20Online%20FIMI_Version%204.2.19.4%2025_HHI

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.