Back to search

CVE-2006-3918

MEDIUM
4.3NVD

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.

CVSS v2.0 Score

4.3
/ 10.0
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N

Information

Published
28 juil. 2006
Updated
16 avr. 2026
Status
Modified
Source
cve@mitre.org

Affected products

apache http serverAll Apache HTTP Server CVEs →
Versions : 1.3.35
debian debian linux
Versions : 3.1
canonical ubuntu linux
Versions : 6.06, 6.10, 7.04, 7.10
redhat enterprise linux server
Versions : 2.0
redhat enterprise linux workstation
Versions : 2.0

Weaknesses (CWE)

CWE-79

References (112)

Similar CVEs

Other vulnerabilities of type CWE-79

Loading…

Monitor your products

Get automatic alerts for every new CVE affecting your equipment.

Enable monitoring