CVE-2019-16385
Description
Cybele Thinfinity VirtualUI 2.5.17.2 allows HTTP response splitting via the mimetype parameter within a PDF viewer request, as demonstrated by an example.pdf?mimetype= substring. The victim user must load an application request to view a PDF, containing the malicious payload. This results in a reflected XSS payload being executed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HTTP response splitting in Cybele Thinfinity VirtualUI 2.5.17.2 enables reflected XSS via a crafted mimetype parameter in a PDF viewer request.
Vulnerability
Cybele Thinfinity VirtualUI version 2.5.17.2 is vulnerable to HTTP response splitting via the mimetype parameter within a PDF viewer request. An attacker can inject carriage return line feed sequences (%0d%0a) into the mimetype parameter, causing the response to be split and allowing control over response headers and body. This is demonstrated by a request to example.pdf?mimetype= followed by the malicious payload [1].
Exploitation
An attacker must convince a victim user to load a crafted URL pointing to a PDF viewer endpoint and containing the mimetype parameter with embedded CRLF sequences. The user must be logged into the application and interact with the link (e.g., via phishing or a cross-site request). The injected CRLF allows the attacker to inject arbitrary headers and content, resulting in a reflected cross-site scripting attack. The server returns a 200 OK response with the attacker-controlled payload reflected in the Content-type header or subsequent response [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session under the same origin. This could lead to session hijacking, data theft, or further application compromise. The attack does not require authentication beyond the victim being logged in, and no special privileges are needed [1].
Mitigation
As of the publication of the advisory (June 2020), no patch or fixed version had been announced for Thinfinity VirtualUI. Users should monitor vendor updates for a patched release. In the absence of a fix, organizations should limit exposure by restricting access to the application and ensuring users do not follow untrusted links [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cybele/Thinfinity VirtualUIdescription
- Range: = 2.5.17.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `mimetype` URL parameter is reflected verbatim into the `Content-type` response header without sanitization, allowing CRLF injection to split the HTTP response."
Attack vector
An attacker crafts a URL containing a `mimetype` parameter that includes HTML-encoded CRLF characters (`%0d%0a`) followed by arbitrary HTML and JavaScript. The victim must load an application request to view a PDF containing this malicious payload. The injected CRLF characters split the HTTP response, causing the attacker's JavaScript to be reflected in the response body and executed in the victim's browser [ref_id=1].
Affected code
The vulnerable parameter is the `mimetype` URL parameter within a PDF viewer request. The advisory does not specify a particular function or file path, but the attack is demonstrated on a request such as `example.pdf?mimetype=...` [ref_id=1].
What the fix does
The advisory states that Cyblesoft released a patch to address both the path traversal and HTTP header injection vulnerabilities, and that the patch was confirmed effective on 14 October 2019. No patch diff is provided in the bundle, so the specific code changes are not available. The remediation guidance is to apply the vendor-supplied patch [ref_id=1].
Preconditions
- inputThe victim must load an application request to view a PDF containing the attacker's malicious payload.
- networkThe attacker must be able to deliver a crafted URL with a mimetype parameter containing CRLF characters and XSS payload to the victim.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.