Vulnerability Details CVE-2019-16385
Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 43.6%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2019-16385
-
cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.0
-
cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.1.28.0
-
cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.1.32.1
-
cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.5
-
cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.5.17.2