Описание
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 5 | httpd | Fixed | RHSA-2013:0130 | 08.01.2013 |
| Red Hat Enterprise Linux 6 | httpd | Fixed | RHSA-2013:0512 | 20.02.2013 |
| Red Hat JBoss Enterprise Application Platform 6.0 | Fixed | RHSA-2012:1594 | 18.12.2012 | |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | antlr-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-beanutils | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-cli | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-codec-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-collections | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-collections-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
Показывать по
Дополнительная информация
Статус:
EPSS
2.6 Low
CVSS2
Связанные уязвимости
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Cross-site scripting (XSS) vulnerability in the mod_negotiation module ...
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
ELSA-2013-0512: httpd security, bug fix, and enhancement update (LOW)
EPSS
2.6 Low
CVSS2