VulnerableCode Package Details - pkg:deb/debian/libcgi-simple-perl@1.115-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
VCID-ez1w-qcsf-zbgp Aliases: CVE-2025-40927	CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation	1.280-2+deb12u1 Affected by 0 other vulnerabilities. 1.282-1~deb13u1 Affected by 0 other vulnerabilities. 1.282-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ez1w-qcsf-zbgp
Aliases:
CVE-2025-40927

CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation

1.280-2+deb12u1
Affected by 0 other vulnerabilities.

1.282-1~deb13u1
Affected by 0 other vulnerabilities.

1.282-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4ntu-mvzh-eqh4	Multiple vulnerabilities were found in Bugzilla, the worst of which leading to privilege escalation.	CVE-2010-2761
VCID-av9c-xkux-qqab	perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting	CVE-2010-4410
VCID-bmvq-9v68-zue4	Multiple vulnerabilities were found in Bugzilla, the worst of which leading to privilege escalation.	CVE-2010-4411

Vulnerability

Summary

Aliases

VCID-4ntu-mvzh-eqh4

Multiple vulnerabilities were found in Bugzilla, the worst of which leading to privilege escalation.

CVE-2010-2761

VCID-av9c-xkux-qqab

perl-CGI-Simple: - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting

CVE-2010-4410

VCID-bmvq-9v68-zue4

Multiple vulnerabilities were found in Bugzilla, the worst of which leading to privilege escalation.

CVE-2010-4411

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:30:09.735945+00:00	Debian Importer	Fixing	VCID-av9c-xkux-qqab	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:03:18.097371+00:00	Debian Importer	Fixing	VCID-bmvq-9v68-zue4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:48:16.732982+00:00	Debian Importer	Fixing	VCID-4ntu-mvzh-eqh4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:33:35.735152+00:00	Debian Importer	Fixing	VCID-av9c-xkux-qqab	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:30:21.734789+00:00	Debian Importer	Fixing	VCID-bmvq-9v68-zue4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:33:01.124719+00:00	Debian Importer	Fixing	VCID-4ntu-mvzh-eqh4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:28:32.808358+00:00	Debian Importer	Affected by	VCID-ez1w-qcsf-zbgp	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:32.778274+00:00	Debian Importer	Fixing	VCID-bmvq-9v68-zue4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:32.730835+00:00	Debian Importer	Fixing	VCID-av9c-xkux-qqab	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:32.680043+00:00	Debian Importer	Fixing	VCID-4ntu-mvzh-eqh4	https://security-tracker.debian.org/tracker/data/json	38.1.0