Don't miss out Virtual Happy Hour this Friday (April 26).
Don't miss out Virtual Happy Hour this Friday (April 26).
EPiServer.ConnectForMarketingAutomation 5.3.0
EPiServer.ConnectForMarketingAutomation 5.3.4
Mar 11, 2019
Mar 29, 2019
Closed, Fixed and tested
Description
A function call contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks.
Recommendations
Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
Offender:
episerver.marketing.connector.dll
void UpsertTrackingCookie(string, string, System.Collections.Generic.List<Connector.Framework.Data.CookieData>) 66%