Back to search

Apache httpd Expect header Cross-Site Scripting (CVE-2006-3918)

Severity CVSS Published Added Modified
4 (AV:N/AC:M/Au:N/C:N/I:P/A:N) July 26, 2006 July 26, 2006 February 12, 2015


The affected asset is vulnerable to this Apache vulnerability ONLY if an attacker can influence the Expect header, for example using Flash. Review your Web server configuration for validation.

A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now


Related Vulnerabilities