CVE-2007-2401

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

Published: Jun 25, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-2401
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apple / mac_os_x	10.3.9	10.3.9.x
apple / mac_os_x	10.4.9	10.4.9.x
apple / mac_os_x_server	10.3.9	10.3.9.x
apple / mac_os_x_server	10.4.9	10.4.9.x

http://docs.info.apple.com/article.html?artnum=305759
http://docs.info.apple.com/article.html?artnum=306173
http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html
http://osvdb.org/36449
http://secunia.com/advisories/25786
http://secunia.com/advisories/26287
http://www.kb.cert.org/vuls/id/845708
http://www.securityfocus.com/archive/1/472198/100/0/threaded
http://www.securityfocus.com/bid/24598
http://www.securitytracker.com/id?1018281
http://www.vupen.com/english/advisories/2007/2296
http://www.vupen.com/english/advisories/2007/2316
http://www.vupen.com/english/advisories/2007/2731
http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
https://exchange.xforce.ibmcloud.com/vulnerabilities/35017

Vulnerability Database

290,476

CVE-2007-2401