Issues » CRLF Header Injection vulnerability

Issue: SI-26
Date: Jul 17, 2014, 11:00:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 3

Scanning software (Acunetix) has reported a CRLF Injection vulnerability in the htmlpdf servlet.

I have discussed this report with our Dotcms developers and they feel the report is correct and the problem is located in the Dotcms codebase.


Unmap the htmlpdf servlet if it is not being used.  If it is being used, update the code to sanitize the filename parameter.