Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-2401Cross-site Scripting in Apple MAC OS X

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
3.3%
top 12.75%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apple MAC OS XApple MAC OS X Server
Timeline
PublishedJun 25
Latest updateMay 1

Description

CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDapple/mac_os_x10.3.9, 10.4.9+1
NVDapple/mac_os_x_server10.3.9, 10.4.9+1

Patches

Patch: lists.apple.comPatch: secunia.comPatch: www.securityfocus.com

🔴Vulnerability Details

1
GHSA
GHSA-mpp5-3g49-3p3w: CRLF injection vulnerability in WebCore in Apple Mac OS X 102022-05-01

💥Exploits & PoCs

1
Exploit-DB
Apple WebCore - XMLHTTPRequest Cross-Site Scripting2007-06-22
CVE-2007-2401 — Cross-site Scripting in Apple MAC OS X | cvebase