CVE-2007-4465

Publication date 14 September 2007

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

6.1 · Medium

Score breakdown

Description

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Read the notes from the security team

Status

Package Ubuntu Release Status

Notes

jdstrand

redhat has patch for all of there releases now

Severity score breakdown

Parameter Value
Base score 6.1 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-575-1
    • Apache vulnerabilities
    • 4 February 2008

Other references