PublicDate: 2007-09-14 00:17:00 UTC
Candidate: CVE-2007-4465
References: 
 https://rhn.redhat.com/errata/RHSA-2007-0911.html
 https://ubuntu.com/security/notices/USN-575-1
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
Description:
 Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache
 HTTP Server before 2.2.6, when the charset on a server-generated page is
 not defined, allows remote attackers to inject arbitrary web script or HTML
 via the P parameter using the UTF-7 charset.  NOTE: it could be argued that
 this issue is due to a design limitation of browsers that attempt to
 perform automatic content type detection.
Ubuntu-Description: 
Notes: 
 jdstrand> redhat has patch for all of there releases now
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/163828
Priority: medium
Discovered-by:
Assigned-to: 
CVSS: 
upstream_apache2: released (2.2.6)
dapper_apache2: released (2.0.55-4ubuntu2.3)
edgy_apache2: released (2.0.55-4ubuntu4.2)
feisty_apache2: released (2.2.3-3.2ubuntu2.1)
gutsy_apache2: released (2.2.4-3ubuntu0.1)
devel_apache2: not-affected (2.2.6-1)