Vulnerability Details : CVE-2007-4465
Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2007-4465
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Threat overview for CVE-2007-4465
Top countries where our scanners detected CVE-2007-4465
Top open port discovered on systems with this issue
80
IPs affected by CVE-2007-4465 239,479
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2007-4465!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2007-4465
3.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2007-4465
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-17 |
CWE ids for CVE-2007-4465
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
Vendor statements for CVE-2007-4465
-
Apache 2007-09-14The Apache security team believe that this issue is due to web browsers that are violating RFC2616. However, Apache 2.2.6 and 2.0.61 add a workaround for such browsers by adding Type and Charset options to IndexOptions directive. This allows a site administrator to explicitly set the content-type and charset of the generated directory index page.
-
Red Hat 2007-09-18This is actually a flaw in browsers that do not derive the response character set as required by RFC 2616. This does not affect the default configuration of Apache httpd in Red Hat products and will only affect customers who have removed the "AddDefaultCharset" directive and are using directory indexes. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-4465
References for CVE-2007-4465
-
http://secunia.com/advisories/27732
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/26842
About Secunia Research | FlexeraBroken Link
-
http://securityreason.com/achievement_securityalert/46
Apache 2.2.5 Undefined Charset UTF-7 XSS Vulnerability - CXSecurity.comThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10929
404 Not FoundBroken Link
-
http://www.vupen.com/english/advisories/2008/1697
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPermissions Required;Third Party Advisory
-
http://bugs.gentoo.org/show_bug.cgi?id=186219
186219 – www-servers/apache Multiple issues (CVE-2006-{5752}, CVE-2007-{1862,1863,3304,3847,4465})Third Party Advisory
-
http://securityreason.com/securityalert/3113
Apache 2.2.5 Undefined Charset UTF-7 XSS Vulnerability - CXSecurity.comThird Party Advisory
-
http://secunia.com/advisories/27563
About Secunia Research | FlexeraBroken Link
-
http://marc.info/?l=bugtraq&m=124654546101607&w=2
'[security bulletin] HPSBUX02431 SSRT090085 rev.1 - HP-UX Running Apache Web Server Suite, Remote Den' - MARCThird Party Advisory;VDB Entry
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/36586
Apache HTTP Server UTF-7 cross-site scripting CVE-2007-4465 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/25653
Patch;Third Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/usn-575-1
USN-575-1: Apache vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
http://marc.info/?l=bugtraq&m=125631037611762&w=2
'[security bulletin] HPSBUX02465 SSRT090192 rev.1 - HP-UX Running Apache-based Web Server, Remote Den' - MARCMailing List;Third Party Advisory
-
http://securitytracker.com/id?1019194
GoDaddy Domain Name SearchThird Party Advisory;VDB Entry
-
http://secunia.com/advisories/28607
About Secunia Research | FlexeraBroken Link
-
http://www.redhat.com/support/errata/RHSA-2007-0911.html
SupportBroken Link
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6089
404 Not FoundBroken Link
-
http://www.redhat.com/support/errata/RHSA-2008-0004.html
SupportBroken Link
-
http://www.redhat.com/support/errata/RHSA-2008-0006.html
SupportBroken Link
-
http://www.securityfocus.com/archive/1/479237/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/30430
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/26952
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/28749
About Secunia Research | FlexeraBroken Link
-
http://www.redhat.com/support/errata/RHSA-2008-0008.html
SupportBroken Link
-
http://secunia.com/advisories/35650
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/33105
About Secunia Research | FlexeraBroken Link
-
http://www.redhat.com/support/errata/RHSA-2008-0005.html
SupportBroken Link
-
http://www.us-cert.gov/cas/techalerts/TA08-150A.html
Page Not Found | CISAThird Party Advisory;US Government Resource
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:014
Advisories | MandrivaThird Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00353.html
[SECURITY] Fedora Core 6 Update: httpd-2.2.6-1.fc6Third Party Advisory
-
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200807e.html
This page provides Security Information. : Fujitsu GlobalThird Party Advisory
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432
Broken Link
-
http://secunia.com/advisories/31651
About Secunia Research | FlexeraBroken Link
-
http://www.apache.org/dist/httpd/CHANGES_2.2.6
404 Not FoundBroken Link
-
http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm
ASA-2008-032 (RHSA-2008-0006)Third Party Advisory
-
http://www.novell.com/linux/security/advisories/2007_61_apache2.html
404 Page Not Found | SUSEThird Party Advisory
-
http://www.redhat.com/support/errata/RHSA-2008-0261.html
SupportBroken Link
-
http://security.gentoo.org/glsa/glsa-200711-06.xml
Apache: Multiple vulnerabilities (GLSA 200711-06) — Gentoo securityThird Party Advisory
-
http://lists.apple.com/archives/security-announce/2008//May/msg00001.html
Mailing List
-
http://www.redhat.com/archives/fedora-package-announce/2007-September/msg00320.html
[SECURITY] Fedora 7 Update: httpd-2.2.6-1.fc7Broken Link
-
http://secunia.com/advisories/28471
About Secunia Research | FlexeraBroken Link
-
http://secunia.com/advisories/28467
About Secunia Research | FlexeraBroken Link
Jump to