CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.
References
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 00:30
Type | Values Removed | Values Added |
---|---|---|
References | () http://docs.info.apple.com/article.html?artnum=305759 - | |
References | () http://docs.info.apple.com/article.html?artnum=306173 - | |
References | () http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html - Patch | |
References | () http://osvdb.org/36449 - | |
References | () http://secunia.com/advisories/25786 - Patch, Vendor Advisory | |
References | () http://secunia.com/advisories/26287 - Vendor Advisory | |
References | () http://www.kb.cert.org/vuls/id/845708 - US Government Resource | |
References | () http://www.securityfocus.com/archive/1/472198/100/0/threaded - | |
References | () http://www.securityfocus.com/bid/24598 - Patch | |
References | () http://www.securitytracker.com/id?1018281 - Patch | |
References | () http://www.vupen.com/english/advisories/2007/2296 - | |
References | () http://www.vupen.com/english/advisories/2007/2316 - | |
References | () http://www.vupen.com/english/advisories/2007/2731 - | |
References | () http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt - Patch, Vendor Advisory | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/35017 - |
09 Aug 2022, 13:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* |
Information
Published : 2007-06-25 19:30
Updated : 2024-11-21 00:30
NVD link : CVE-2007-2401
Mitre link : CVE-2007-2401
CVE.ORG link : CVE-2007-2401
JSON object : View
Products Affected
apple
- mac_os_x
- iphone_os
- mac_os_x_server
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')