NVD

Id
62576  
Name
CVE-2006-3918  
Description
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.  
Reject
 
CVSS Version
2  
CVSS Score
4.3  
Severity
Medium  
CVSS Base Score
4.3  
CVSS Impact Subscore
2.9  
CVSS Exploit Subscore
8.6  
CVSS Vector
(AV:N/AC:M/Au:N/C:N/I:P/A:N)  
Pub Date
2016-12-20  
Published
2006-07-27  
Modified Date
2012-11-05  
Seq
2006-3918  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
325173 62576 CVE-2006-3918 20060801-01-P  View
325174 62576 CVE-2006-3918 20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1  View
325175 62576 CVE-2006-3918 20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash"  View
325176 62576 CVE-2006-3918 http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html  View
325177 62576 CVE-2006-3918 SUSE-SA:2008:021  View
325178 62576 CVE-2006-3918 SSRT090192  View
325179 62576 CVE-2006-3918 SSRT100345  View
325180 62576 CVE-2006-3918 HPSBOV02683  View
325181 62576 CVE-2006-3918 [3.9] 012: SECURITY FIX: October 7, 2006  View
325182 62576 CVE-2006-3918 oval:org.mitre.oval:def:10352  View
325183 62576 CVE-2006-3918 oval:org.mitre.oval:def:12238  View
325184 62576 CVE-2006-3918 RHSA-2006:0618  View
325185 62576 CVE-2006-3918 RHSA-2006:0692  View
325186 62576 CVE-2006-3918 1294  View
325187 62576 CVE-2006-3918 1016569  View
325188 62576 CVE-2006-3918 http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm  View
325189 62576 CVE-2006-3918 http://svn.apache.org/viewvc?view=rev&revision=394965  View
325190 62576 CVE-2006-3918 PK24631  View
325191 62576 CVE-2006-3918 PK27875  View
325192 62576 CVE-2006-3918 DSA-1167  View
325193 62576 CVE-2006-3918 http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html  View
325194 62576 CVE-2006-3918 SUSE-SA:2006:051  View
325195 62576 CVE-2006-3918 RHSA-2006:0619  View
325196 62576 CVE-2006-3918 19661  View
325197 62576 CVE-2006-3918 1024144  View
325198 62576 CVE-2006-3918 USN-575-1  View
325199 62576 CVE-2006-3918 ADV-2006-2963  View
325200 62576 CVE-2006-3918 ADV-2006-2964  View
325201 62576 CVE-2006-3918 ADV-2006-3264  View
325202 62576 CVE-2006-3918 ADV-2006-4207  View
325203 62576 CVE-2006-3918 ADV-2006-5089  View
325204 62576 CVE-2006-3918 ADV-2010-1572  View
325205 62576 CVE-2006-3918 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
58245 JVNDB-2006-000441 Apache HTTP Server の Expect リクエストヘッダにおけるクロスサイトスクリプティングの脆弱性 Apache HTTP Server には、 Expect リクエストヘッダをエラーページに出力する際に適切にエスケープ処理が行われないため、スクリプト文が挿入された Expect リクエストヘッダに対して 417 Expectation Failed エラーページを出力した場合、挿入されたスクリプトが実行されてしまう脆弱性が存在します。 CVE-2006-3918 20020 CVE-2006-3918 62576 4.3 http://jvndb.jvn.jp/ja/contents/2006/JVNDB-2006-000441.html 2006-07-24 2014-05-22 View