CVE-2007-6421 : Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 throu

Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.

Published 2008-01-08 19:46:00

Updated 2021-06-06 11:15:15

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Threat overview for CVE-2007-6421

Top countries where our scanners detected CVE-2007-6421

Top open port discovered on systems with this issue 80

IPs affected by CVE-2007-6421 101,708

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2007-6421!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2007-6421

Probability of exploitation activity in the next 30 days: 0.70%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2007-6421

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2007-6421

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2007-6421

Apache 2008-07-02

Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html

References for CVE-2007-6421

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E

svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html

[SECURITY] Fedora 8 Update: httpd-2.2.8-1.fc8

CVEs referencing this url
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E

svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html

[security-announce] SUSE Security Announcement: Apache,Apache2 security problems (SUSE-SA:2008:021) - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

CVEs referencing this url
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail Archives

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html

[SECURITY] Fedora 7 Update: httpd-2.2.8-1.fc7

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8651
http://www.ubuntu.com/usn/usn-575-1

USN-575-1: Apache vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
http://securityreason.com/securityalert/3523

Apache2 CSRF, XSS, Memory Corruption and Denial of Service Vulnerability - CXSecurity.com

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

CVEs referencing this url
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E

svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2008:016

Mandriva

CVEs referencing this url
http://www.securityfocus.com/archive/1/486169/100/0/threaded

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2008-0008.html

Support

CVEs referencing this url
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919@%3Ccvs.httpd.apache.org%3E

CVEs referencing this url
http://www.vupen.com/english/advisories/2008/0048

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2008-0009.html

Support

CVEs referencing this url
http://www.securityfocus.com/bid/27236

CVEs referencing this url
http://docs.info.apple.com/article.html?artnum=307562

CVEs referencing this url
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
http://httpd.apache.org/security/vulnerabilities_22.html

httpd 2.2 vulnerabilities - The Apache HTTP Server Project

CVEs referencing this url
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E

svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be@%3Ccvs.httpd.apache.org%3E

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/39474
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E

svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10664
http://www.vupen.com/english/advisories/2008/0924/references

Webmail: access your OVH emails on ovhcloud.com | OVHcloud

CVEs referencing this url

Products affected by CVE-2007-6421

Apache » Http Server » Version: N/A
cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.1
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2
cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.3
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.4
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.2
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.6
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
Matching versions