CVE-2006-3918
EPSS 91.4%
Description
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
How to fix CVE-2006-3918
To remediate CVE-2006-3918, upgrade the affected package to a fixed version below.
- Debian/apache2—upgrade to 2.0.55-4.1 or later
Is CVE-2006-3918 being exploited?
Likely — EPSS is 91.4%, placing CVE-2006-3918 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 2.0.55-4.1