CVE-2007-2401: XSS
First published: Mon Jun 25 2007(Updated: )
CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| iPhone OS | <=1.0 | |
| Apple iOS and macOS | =10.3.9 | |
| Apple iOS and macOS | =10.4.9 | |
| Apple iOS and macOS | =10.3.9 | |
| Apple iOS and macOS | =10.4.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
- http://docs.info.apple.com/article.html?artnum=305759
- http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html
- http://www.kb.cert.org/vuls/id/845708
- http://www.securityfocus.com/bid/24598
- http://www.securitytracker.com/id?1018281
- http://secunia.com/advisories/25786
- http://docs.info.apple.com/article.html?artnum=306173
- http://secunia.com/advisories/26287
- http://www.vupen.com/english/advisories/2007/2316
- http://www.vupen.com/english/advisories/2007/2731
- http://www.vupen.com/english/advisories/2007/2296
- http://osvdb.org/36449
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35017
- http://www.securityfocus.com/archive/1/472198/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-2401?
CVE-2007-2401 has a moderate severity level due to its ability to allow attackers to inject arbitrary HTTP headers.
How do I fix CVE-2007-2401?
To mitigate CVE-2007-2401, upgrade to a version of Mac OS X or iPhone OS that is not affected by the vulnerability.
What affected software versions are impacted by CVE-2007-2401?
CVE-2007-2401 affects Apple Mac OS X versions 10.3.9 and 10.4.9, as well as iPhone OS versions before 1.0.1.
Can CVE-2007-2401 lead to remote code execution?
CVE-2007-2401 does not directly lead to remote code execution but allows header injection which may be exploited further.
What types of attacks can exploit CVE-2007-2401?
CVE-2007-2401 can be exploited through CRLF injection attacks to manipulate HTTP responses and headers.
- collector/nvd-historical
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/last-modified-date
- agent/severity
- agent/references
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/apple
- canonical/iphone os
- version/iphone os/1.0
- canonical/apple ios and macos
- version/apple ios and macos/10.3.9
- version/apple ios and macos/10.4.9