http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Nov 2023, 01:59
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2006-07-28 00:04
Updated : 2024-02-28 10:42
NVD link : CVE-2006-3918
Mitre link : CVE-2006-3918
CVE.ORG link : CVE-2006-3918
JSON object : View
Products Affected
debian
- debian_linux
redhat
- enterprise_linux_server
- enterprise_linux_workstation
canonical
- ubuntu_linux
apache
- http_server
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')