CVE-2007-4465
published 2007-09-14CVE-2007-4465: Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.0.0 < 2.0.61 | 2.0.61 |
| apache | http_server | >= 2.2.0 < 2.2.6 | 2.2.6 |
| debian | apache2 | < apache2 2.2.6-1 (bookworm) | apache2 2.2.6-1 (bookworm) |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM