Vulnerability Details : CVE-2007-2400
Race condition in Apple Safari 3 Beta before 3.0.2 on Mac OS X, Windows XP, Windows Vista, and iPhone before 1.0.1, allows remote attackers to bypass the JavaScript security model and modify pages outside of the security domain and conduct cross-site scripting (XSS) attacks via vectors related to page updating and HTTP redirects.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2007-2400
- cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*When used together with: Microsoft » Windows VistaWhen used together with: Microsoft » Windows Xp
- cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*When used together with: Microsoft » Windows VistaWhen used together with: Microsoft » Windows Xp
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*When used together with: Microsoft » Windows VistaWhen used together with: Microsoft » Windows Xp
Exploit prediction scoring system (EPSS) score for CVE-2007-2400
1.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2007-2400
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2007-2400
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2007-2400
-
http://www.kb.cert.org/vuls/id/289988
US Government Resource
-
http://www.securityfocus.com/bid/24599
Patch
-
http://www.vupen.com/english/advisories/2007/2316
Vendor Advisory
-
http://www.vupen.com/english/advisories/2007/2731
Vendor Advisory
-
http://www.securitytracker.com/id?1018282
Patch
-
http://lists.apple.com/archives/Security-announce/2007/Jun/msg00004.html
Patch;Vendor Advisory
-
http://docs.info.apple.com/article.html?artnum=306173
Vendor Advisory
Jump to