CVE Vulnerability

CVE-2007-2401

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt Patch Vendor Advisory
http://docs.info.apple.com/article.html?artnum=305759
http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html Patch
http://www.kb.cert.org/vuls/id/845708 US Government Resource
http://www.securityfocus.com/bid/24598 Patch
http://www.securitytracker.com/id?1018281 Patch
http://secunia.com/advisories/25786 Patch Vendor Advisory
http://docs.info.apple.com/article.html?artnum=306173
http://secunia.com/advisories/26287 Vendor Advisory
http://www.vupen.com/english/advisories/2007/2316
http://www.vupen.com/english/advisories/2007/2731
http://www.vupen.com/english/advisories/2007/2296
http://osvdb.org/36449
https://exchange.xforce.ibmcloud.com/vulnerabilities/35017
http://www.securityfocus.com/archive/1/472198/100/0/threaded
Configurations

Configuration 1
Information

Published : 2007-06-25 07:30

Updated : 2022-08-09 01:46

NVD link : CVE-2007-2401

Mitre link : CVE-2007-2401

Products Affected
No products.
CWE
CWE-79