CVE-2007-2401

Published: Jun 25, 2007Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

Affected (4)

Products: Apple: Mac Os X, Mac Os X Server

2 products

Mac Os X Server

Configuration A

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Apple Mac Os X	Version 10.3.9
Apple Mac Os X	Version 10.4.9
Apple Mac Os X Server	Version 10.3.9
Apple Mac Os X Server	Version 10.4.9

Running on/with	Platform Versions
Apple Iphone Os	Up to 1.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (30)

http://docs.info.apple.com/article.html?artnum=305759

Source: cve@mitre.org

http://docs.info.apple.com/article.html?artnum=306173

Source: cve@mitre.org

http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html

Source: cve@mitre.org

Patch

http://osvdb.org/36449

Source: cve@mitre.org

http://secunia.com/advisories/25786

Source: cve@mitre.org

PatchVendor Advisory

http://secunia.com/advisories/26287

Source: cve@mitre.org

Vendor Advisory

http://www.kb.cert.org/vuls/id/845708

Source: cve@mitre.org

US Government Resource

http://www.securityfocus.com/archive/1/472198/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/24598

Source: cve@mitre.org

Patch

http://www.securitytracker.com/id?1018281

Source: cve@mitre.org

Patch

http://www.vupen.com/english/advisories/2007/2296

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2007/2316

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2007/2731

Source: cve@mitre.org

http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt

Source: cve@mitre.org

PatchVendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/35017

Source: cve@mitre.org

http://docs.info.apple.com/article.html?artnum=305759

Source: af854a3a-2127-422b-91ae-364da2661108

http://docs.info.apple.com/article.html?artnum=306173

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://osvdb.org/36449

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/25786

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://secunia.com/advisories/26287

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.kb.cert.org/vuls/id/845708

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

http://www.securityfocus.com/archive/1/472198/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/24598

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.securitytracker.com/id?1018281

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.vupen.com/english/advisories/2007/2296

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2007/2316

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.vupen.com/english/advisories/2007/2731

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/35017

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.