Issue detailThe value of the CookieURLDescSubs cookie is copied into the location response header. The payload 6b61f%0d%0a9c98044096b was submitted in the CookieURLDescSubs cookie. This caused a response containing an injected HTTP header.
Issue backgroundHTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.