4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
6.5 Medium
AI Score
Confidence
Low
0.01 Low
EPSS
Percentile
83.7%
ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.
bugzilla.elinks.cz/show_bug.cgi?id=937
secunia.com/advisories/26936
secunia.com/advisories/26949
secunia.com/advisories/26956
secunia.com/advisories/27038
secunia.com/advisories/27062
secunia.com/advisories/27125
secunia.com/advisories/27132
www.debian.org/security/2007/dsa-1380
www.redhat.com/support/errata/RHSA-2007-0933.html
www.securityfocus.com/archive/1/481606/100/0/threaded
www.securityfocus.com/bid/25799
www.securitytracker.com/id?1018764
www.ubuntu.com/usn/usn-519-1
www.vupen.com/english/advisories/2007/3278
bugs.launchpad.net/ubuntu/+source/elinks/+bug/141018
bugzilla.redhat.com/show_bug.cgi?id=297981
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10335
www.redhat.com/archives/fedora-package-announce/2007-October/msg00079.html
www.redhat.com/archives/fedora-package-announce/2007-September/msg00335.html