CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
AnalysisAI
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of unauthenticated pages. The unsanitized parameter is used to generate Location headers in 302 redirects, enabling open redirect, HTTP response injection, and reflected XSS that can escalate to admin session hijacking.
Technical ContextAI
The dest GET parameter on the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs pages is injected into a Location HTTP header without sanitization. By injecting CRLF sequences followed by additional headers or HTML body content, an attacker achieves HTTP response splitting. This enables reflected XSS that can steal admin session cookies or execute actions in the admin context.
RemediationAI
Update Kerio Control to version 9.4.6 or later. Implement browser security headers (Content-Security-Policy, X-Content-Type-Options). Restrict admin interface access to trusted IP addresses. Educate administrators about phishing attacks targeting management interfaces.
Share
External POC / Exploit Code
Leaving vuln.today