Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
History
07 Nov 2023, 02:01
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
21 Sep 2022, 19:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.60:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.35:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.61:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.34:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.39:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.36:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.37:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:* |
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:* |
First Time |
Redhat enterprise Linux
Redhat enterprise Linux Server Redhat enterprise Linux Desktop Redhat Redhat enterprise Linux Workstation Redhat jboss Enterprise Application Platform |
|
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/39867 - Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (BUGTRAQ) http://www.securityfocus.com/archive/1/486847/100/0/threaded - Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2013-0130.html - Third Party Advisory | |
References | (SREASON) http://securityreason.com/securityalert/3575 - Exploit, Third Party Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2012-1594.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (SECTRACK) http://securitytracker.com/id?1019256 - Broken Link, Exploit, Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/29348 - Not Applicable | |
References | (MLIST) https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (GENTOO) http://security.gentoo.org/glsa/glsa-200803-19.xml - Third Party Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2012-1591.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/27409 - Exploit, Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2012-1592.html - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/51607 - Not Applicable | |
References | (MLIST) https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory |
06 Jun 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Mar 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2008-01-25 01:00
Updated : 2023-12-10 10:40
NVD link : CVE-2008-0455
Mitre link : CVE-2008-0455
CVE.ORG link : CVE-2008-0455
JSON object : View
Products Affected
redhat
- enterprise_linux_server
- enterprise_linux
- enterprise_linux_desktop
- enterprise_linux_workstation
- jboss_enterprise_application_platform
apache
- http_server
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')