CVE-2007-6388

MEDIUM

Description

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

References

http://docs.info.apple.com/article.html?artnum=307562

http://httpd.apache.org/security/vulnerabilities_13.html

http://httpd.apache.org/security/vulnerabilities_20.html

http://httpd.apache.org/security/vulnerabilities_22.html

http://lists.apple.com/archives/security-announce/2008//May/msg00001.html

http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html

http://lists.vmware.com/pipermail/security-announce/2009/000062.html

http://marc.info/?l=bugtraq&m=130497311408250&w=2

http://secunia.com/advisories/28467

http://secunia.com/advisories/28471

http://secunia.com/advisories/28526

http://secunia.com/advisories/28607

http://secunia.com/advisories/28749

http://secunia.com/advisories/28922

http://secunia.com/advisories/28965

http://secunia.com/advisories/28977

http://secunia.com/advisories/29420

http://secunia.com/advisories/29504

http://secunia.com/advisories/29640

http://secunia.com/advisories/29806

http://secunia.com/advisories/29988

http://secunia.com/advisories/30356

http://secunia.com/advisories/30430

http://secunia.com/advisories/30732

http://secunia.com/advisories/31142

http://secunia.com/advisories/32800

http://secunia.com/advisories/33200

http://securityreason.com/securityalert/3541

http://securitytracker.com/id?1019154

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.595748

http://sunsolve.sun.com/search/document.do?assetkey=1-26-233623-1

http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=689039

http://www.fujitsu.com/global/support/software/security/products-f/interstage-200808e.html

http://www.mandriva.com/security/advisories?name=MDVSA-2008:014

http://www.mandriva.com/security/advisories?name=MDVSA-2008:015

http://www.mandriva.com/security/advisories?name=MDVSA-2008:016

http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

http://www.redhat.com/support/errata/RHSA-2008-0004.html

http://www.redhat.com/support/errata/RHSA-2008-0005.html

http://www.redhat.com/support/errata/RHSA-2008-0006.html

http://www.redhat.com/support/errata/RHSA-2008-0007.html

http://www.redhat.com/support/errata/RHSA-2008-0008.html

http://www.redhat.com/support/errata/RHSA-2008-0009.html

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.securityfocus.com/archive/1/488082/100/0/threaded

http://www.securityfocus.com/archive/1/494428/100/0/threaded

http://www.securityfocus.com/archive/1/498523/100/0/threaded

http://www.securityfocus.com/archive/1/505990/100/0/threaded

http://www.securityfocus.com/bid/27237

http://www.ubuntu.com/usn/usn-575-1

http://www.us-cert.gov/cas/techalerts/TA08-150A.html

http://www.vupen.com/english/advisories/2008/0047

http://www.vupen.com/english/advisories/2008/0447/references

http://www.vupen.com/english/advisories/2008/0554

http://www.vupen.com/english/advisories/2008/0809/references

http://www.vupen.com/english/advisories/2008/0924/references

http://www.vupen.com/english/advisories/2008/0986/references

http://www.vupen.com/english/advisories/2008/1224/references

http://www.vupen.com/english/advisories/2008/1623/references

http://www.vupen.com/english/advisories/2008/1697

http://www-1.ibm.com/support/docview.wss?uid=swg1PK62966

http://www-1.ibm.com/support/docview.wss?uid=swg1PK63273

http://www-1.ibm.com/support/docview.wss?uid=swg24019245

http://www-1.ibm.com/support/search.wss?rs=0&q=PK59667&apar=only

http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2008/05/023342-01.pdf

https://exchange.xforce.ibmcloud.com/vulnerabilities/39472

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10272

https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html

https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html

Details

Source: MITRE

Published: 2008-01-08

Updated: 2021-03-30

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.37:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.38:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:1.3.39:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.60:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.0.61:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*

Tenable Plugins

View all (40 total)

IDNameProductFamilySeverity
69301Oracle Fusion Middleware Oracle HTTP Server Multiple VulnerabilitiesNessusWeb Servers
critical
67633Oracle Linux 5 : httpd (ELSA-2008-0008)NessusOracle Linux Local Security Checks
medium
67632Oracle Linux 4 : httpd (ELSA-2008-0006)NessusOracle Linux Local Security Checks
medium
67631Oracle Linux 3 : httpd (ELSA-2008-0005)NessusOracle Linux Local Security Checks
medium
63857RHEL 3 / 4 : Proxy Server (RHSA-2008:0523)NessusRed Hat Local Security Checks
high
63853RHEL 4 : Proxy Server (RHSA-2008:0263)NessusRed Hat Local Security Checks
medium
60345Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
43837RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)NessusRed Hat Local Security Checks
critical
43835RHEL 4 : Satellite Server (RHSA-2008:0261)NessusRed Hat Local Security Checks
critical
43666CentOS 5 : httpd (CESA-2008:0008)NessusCentOS Local Security Checks
medium
41207SuSE9 Security Update : Apache (YOU Patch Number 12125)NessusSuSE Local Security Checks
medium
41206SuSE9 Security Update : Apache 2 (YOU Patch Number 12124)NessusSuSE Local Security Checks
medium
39378HP-UX PHSS_38148 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 19NessusHP-UX Local Security Checks
high
39377HP-UX PHSS_38147 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 19NessusHP-UX Local Security Checks
high
36524Mandriva Linux Security Advisory : apache (MDVSA-2008:016)NessusMandriva Local Security Checks
medium
34952HP-UX PHSS_38761 : s700_800 11.X OV NNM7.01 Intermediate Patch 12NessusHP-UX Local Security Checks
critical
33747Slackware 12.0 / 12.1 / current : httpd (SSA:2008-210-02)NessusSlackware Local Security Checks
medium
32478Mac OS X Multiple Vulnerabilities (Security Update 2008-003)NessusMacOS X Local Security Checks
critical
32477Mac OS X 10.5.x < 10.5.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
31768SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5128)NessusSuSE Local Security Checks
medium
31767openSUSE 10 Security Update : apache2 (apache2-5127)NessusSuSE Local Security Checks
medium
31766openSUSE 10 Security Update : apache2 (apache2-5126)NessusSuSE Local Security Checks
medium
31765openSUSE 10 Security Update : apache2 (apache2-5125)NessusSuSE Local Security Checks
medium
31605Mac OS X Multiple Vulnerabilities (Security Update 2008-002)NessusMacOS X Local Security Checks
critical
31408Apache 1.3.x < 1.3.41 Multiple Vulnerabilities (DoS, XSS)NessusWeb Servers
medium
31407Apache < 2.0.63 Multiple XSS VulnerabilitiesNessusWeb Servers
medium
4385Apache < 2.2.8 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
31118Apache 2.2.x < 2.2.8 Multiple Vulnerabilities (XSS, DoS)NessusWeb Servers
medium
31105Fedora 7 : httpd-2.2.8-1.fc7 (2008-1711)NessusFedora Local Security Checks
medium
31103Fedora 8 : httpd-2.2.8-1.fc8 (2008-1695)NessusFedora Local Security Checks
medium
31100Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : apache (SSA:2008-045-02)NessusSlackware Local Security Checks
medium
31099Slackware 12.0 / current : httpd (SSA:2008-045-01)NessusSlackware Local Security Checks
medium
30184Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : apache2 vulnerabilities (USN-575-1)NessusUbuntu Local Security Checks
medium
29977RHEL 5 : httpd (RHSA-2008:0008)NessusRed Hat Local Security Checks
medium
29976RHEL 4 : httpd (RHSA-2008:0006)NessusRed Hat Local Security Checks
medium
29975RHEL 3 : httpd (RHSA-2008:0005)NessusRed Hat Local Security Checks
medium
29974RHEL 2.1 : apache (RHSA-2008:0004)NessusRed Hat Local Security Checks
medium
29967CentOS 4 : httpd (CESA-2008:0006)NessusCentOS Local Security Checks
medium
29966CentOS 3 : httpd (CESA-2008:0005)NessusCentOS Local Security Checks
medium
800581Apache < 2.2.8 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
low