Vulnerability Description
A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Compassplus | Tranzware Online | 5.3.33.3_f38 |
| Compassplus | Tranzware Online Financial Institution Maintenance Interface | 4.2.19.4.25 |
Related Weaknesses (CWE)
References
- https://github.com/IthacaLabs/CompassPlus/tree/main/TranzWare%20Online%20FIMI_VeExploitThird Party Advisory
- https://github.com/IthacaLabs/CompassPlus/tree/main/TranzWare%20Online%20FIMI_VeExploitThird Party Advisory
FAQ
What is CVE-2021-43106?
CVE-2021-43106 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause t...
How severe is CVE-2021-43106?
CVE-2021-43106 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43106?
Check the references section above for vendor advisories and patch information. Affected products include: Compassplus Tranzware Online, Compassplus Tranzware Online Financial Institution Maintenance Interface.