CVE-2018-11652

high-risk

Published 2018-06-01

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

Do I need to act?

21.7% chance of exploitation in next 30 days

EPSS score — higher than 78% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

44899

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Nikto

Affected Vendors

Cirt.Net

References (4)

Patch https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7

Exploit https://www.exploit-db.com/exploits/44899/

Patch https://github.com/sullo/nikto/commit/e759b3300aace5314fe3d30800c8bd83c81c29f7

Exploit https://www.exploit-db.com/exploits/44899/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 5/34 · Minimal