CVE-2007-2401

2007-06-2519:30:00

CWE-79

mitre

web.nvd.nist.gov

cve-2007-2401

crlf injection

webcore

apple

mac os x

iphone

vulnerability

http headers

xss

cross-site scripting

xmlhttprequest

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.6

Confidence

High

EPSS

0.014

Percentile

86.5%

JSON

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

Affected configurations

Nvd

Node

appleiphone_osRange≤1.0

AND

applemac_os_xMatch10.3.9

applemac_os_xMatch10.4.9

applemac_os_x_serverMatch10.3.9

applemac_os_x_serverMatch10.4.9

VendorProductVersionCPE
appleiphone_os*cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
applemac_os_x10.3.9cpe:2.3:o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*
applemac_os_x10.4.9cpe:2.3:o:apple:mac_os_x:10.4.9:*:*:*:*:*:*:*
applemac_os_x_server10.3.9cpe:2.3:o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*
applemac_os_x_server10.4.9cpe:2.3:o:apple:mac_os_x_server:10.4.9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apple	iphone_os	*	cpe:2.3:o:apple:iphone_os::::::::
apple	mac_os_x	10.3.9	cpe:2.3:o:apple:mac_os_x:10.3.9:::::::*
apple	mac_os_x	10.4.9	cpe:2.3:o:apple:mac_os_x:10.4.9:::::::*
apple	mac_os_x_server	10.3.9	cpe:2.3:o:apple:mac_os_x_server:10.3.9:::::::*
apple	mac_os_x_server	10.4.9	cpe:2.3:o:apple:mac_os_x_server:10.4.9:::::::*