Back to search
CVE-2007-2401
Published: Jun 25, 2007
Modified: Aug 7, 2024
PUBLISHED
Description
CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
ADV-2007-2316
vdb-entry
x_refsource_VUPEN
http://docs.info.apple.com/article.html?artnum=306173
x_refsource_CONFIRM
macos-xmlhttprequest-header-injection(35017)
vdb-entry
x_refsource_XF
APPLE-SA-2007-06-22
vendor-advisory
x_refsource_APPLE
25786
third-party-advisory
x_refsource_SECUNIA
http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
x_refsource_MISC
26287
third-party-advisory
x_refsource_SECUNIA
20070625 Safari XMLHttpRequest HTTP header injection
mailing-list
x_refsource_BUGTRAQ
http://docs.info.apple.com/article.html?artnum=305759
x_refsource_CONFIRM
24598
vdb-entry
x_refsource_BID
ADV-2007-2731
vdb-entry
x_refsource_VUPEN
36449
vdb-entry
x_refsource_OSVDB
1018281
vdb-entry
x_refsource_SECTRACK
ADV-2007-2296
vdb-entry
x_refsource_VUPEN
VU#845708
third-party-advisory
x_refsource_CERT-VN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now