Description

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Remediation

References

CVE-2007-4465

Related Vulnerabilities

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2015-1441)

Oracle Database Server CVE-2010-2390 Vulnerability (CVE-2010-2390)

Jboss EAP Improper Input Validation Vulnerability (CVE-2010-3708)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-25601)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5747)

Severity

Medium

Classification

CVE-2007-4465 CWE-707

Tags

Missing Update Known Vulnerabilities