CVE-2007-2401

Name of the Vulnerable Software and Affected Versions Apple Mac OS X versions 10.3.9 through 10.4.9 and later iPhone version before 1.0.1

Description The issue allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request. This is possible because the LF characters are not filtered when serializing headers via the setRequestHeader function. This can be leveraged for cross-site scripting (XSS) attacks.

Recommendations For Apple Mac OS X versions 10.3.9 through 10.4.9 and later, update to a version that includes a fix for this issue. For iPhone version before 1.0.1, update to version 1.0.1 or later to resolve the issue.