CVE-2007-2401

Sažetak

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

Reference

http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
http://docs.info.apple.com/article.html?artnum=305759
http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html
http://www.kb.cert.org/vuls/id/845708
http://www.securityfocus.com/bid/24598
http://www.securitytracker.com/id?1018281
http://secunia.com/advisories/25786
http://docs.info.apple.com/article.html?artnum=306173
http://secunia.com/advisories/26287
http://www.vupen.com/english/advisories/2007/2316
http://www.vupen.com/english/advisories/2007/2731
http://www.vupen.com/english/advisories/2007/2296
http://osvdb.org/36449
https://exchange.xforce.ibmcloud.com/vulnerabilities/35017
http://www.securityfocus.com/archive/1/472198/100/0/threaded

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

09-08-2022 - 13:46

Objavljeno

25-06-2007 - 19:30