Vulnerability Name:

CVE-2007-4512 (CCN-36478)

Assigned:2007-09-04
Published:2007-09-04
Updated:2018-10-15
Summary:Cross-site scripting (XSS) vulnerability in Sophos Anti-Virus for Windows 6.x before 6.5.8 and 7.x before 7.0.1 allows remote attackers to inject arbitrary web script or HTML via an archive with a file that matches a virus signature and has a crafted filename that is not properly handled by the print function in SavMain.exe.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Thu Sep 06 2007 - 07:48:05 CDT
Sophos Anti-Virus 6.5.4 Vulnerability (zip xss)

Source: MITRE
Type: CNA
CVE-2007-4512

Source: OSVDB
Type: UNKNOWN
37527

Source: CCN
Type: SA26714
Sophos Anti-Virus Archive Filename Script Insertion Vulnerability

Source: SECUNIA
Type: UNKNOWN
26714

Source: SREASON
Type: UNKNOWN
3107

Source: CCN
Type: OSVDB ID: 37527
Sophos Anti-Virus Archive Crafted Filename XSS

Source: BUGTRAQ
Type: UNKNOWN
20070906 Sophos Anti-Virus 6.5.4 Vulnerability

Source: BID
Type: Patch
25572

Source: CCN
Type: BID-25572
Sophos Anti-Virus ZIP Archive HTML Injection Vulnerability

Source: CCN
Type: Sophos Support Knowledgebase Article 29150
Advisory: Sophos Anti-Virus Cross-site script vulnerability reported

Source: CONFIRM
Type: Patch
http://www.sophos.com/support/knowledgebase/article/29150.html

Source: VUPEN
Type: UNKNOWN
ADV-2007-3077

Source: XF
Type: UNKNOWN
sophos-zip-xss(36478)

Source: XF
Type: UNKNOWN
sophos-zip-xss(36478)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sophos:anti-virus:*:*:*:*:*:*:*:* (Version <= 6.5.4_r2)
  • OR cpe:/a:sophos:anti-virus:*:*:*:*:*:*:*:* (Version <= 7.0)

  • * Denotes that component is vulnerable
    BACK
    sophos anti-virus *
    sophos anti-virus *