CVE-2007-6203

Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

Published: Dec 3, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-6203
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
apache / http_server	2.0.58	2.0.58.x
apache / http_server	2.2.0	2.2.0.x
apache / http_server	2.0.47	2.0.47.x
apache / http_server	2.0.50	2.0.50.x
apache / http_server	2.2.2	2.2.2.x
apache / http_server	2.1.3	2.1.3.x
apache / http_server	2.2.4	2.2.4.x
apache / http_server	2.0.55	2.0.55.x
apache / http_server	2.1.2	2.1.2.x
apache / http_server	2.1.1	2.1.1.x
apache / http_server	2.0.52	2.0.52.x
apache / http_server	2.1.7	2.1.7.x
apache / http_server	2.0.53	2.0.53.x
apache / http_server	2.0.57	2.0.57.x
apache / http_server	2.0.51	2.0.51.x
apache / http_server	2.0.49	2.0.49.x
apache / http_server	2.1.6	2.1.6.x
apache / http_server	2.1.4	2.1.4.x
apache / http_server	2.0.48	2.0.48.x
apache / http_server	2.1.5	2.1.5.x
apache / http_server	2.2.3	2.2.3.x
apache / http_server	2.0.46	2.0.46.x
apache / http_server	2.0.54	2.0.54.x
apache / http_server	2.0.59	2.0.59.x
apache / http_server	2.1.8	2.1.8.x

Vulnerability Database

290,278

CVE-2007-6203