CVE-2007-4465 — Cross-site Scripting in Apache Http Server

CWE-79 — Cross-site Scripting9 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

2.8%

top 13.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedSep 14

Latest updateMay 1

Description

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDapache/http_server2.0.0 — 2.0.61+1

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-7286-985c-74qv: Cross-site scripting (XSS) vulnerability in mod_autoindex↗2022-05-01

▶

OSV

CVE-2007-4465: Cross-site scripting (XSS) vulnerability in mod_autoindex↗2007-09-14

▶

CVEList

CVE-2007-4465: Cross-site scripting (XSS) vulnerability in mod_autoindex↗2007-09-14

▶

📋Vendor Advisories

Ubuntu

Apache vulnerabilities↗2008-02-04

▶

Red Hat

mod_autoindex XSS↗2007-09-13

▶

Debian

CVE-2007-4465: apache2 - Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP S...↗2007

▶

💬Community

Bugzilla

CVE-2008-2168 httpd: XSS via UTF-7 encoded urls on the 403 Forbidden error page↗2008-05-14

▶

Bugzilla

CVE-2007-4465 mod_autoindex XSS↗2007-09-13

▶