Detections
Analytics

CVE-2007-2401

medium

Description

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/35017

http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt

http://www.vupen.com/english/advisories/2007/2731

http://www.vupen.com/english/advisories/2007/2316

http://www.vupen.com/english/advisories/2007/2296

http://www.securitytracker.com/id?1018281

http://www.securityfocus.com/bid/24598

http://www.securityfocus.com/archive/1/472198/100/0/threaded

http://www.kb.cert.org/vuls/id/845708

http://secunia.com/advisories/26287

http://secunia.com/advisories/25786

http://osvdb.org/36449

http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html

http://docs.info.apple.com/article.html?artnum=306173

http://docs.info.apple.com/article.html?artnum=305759

Details

Source: Mitre, NVD

Published: 2007-06-25

Updated: 2022-08-09

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium