CVE-2012-2687

LOW

Description

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

References

http://httpd.apache.org/security/vulnerabilities_24.html

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html

http://lists.opensuse.org/opensuse-updates/2013-02/msg00011.html

http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html

http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%[email protected]%3E

http://marc.info/?l=bugtraq&m=136612293908376&w=2

http://rhn.redhat.com/errata/RHSA-2012-1591.html

http://rhn.redhat.com/errata/RHSA-2012-1592.html

http://rhn.redhat.com/errata/RHSA-2012-1594.html

http://rhn.redhat.com/errata/RHSA-2013-0130.html

http://secunia.com/advisories/50894

http://secunia.com/advisories/51607

http://support.apple.com/kb/HT5880

http://www-01.ibm.com/support/docview.wss?uid=nas2a2b50a0ca011b37c86257a96003c9a4f

http://www.apache.org/dist/httpd/CHANGES_2.4.3

http://www.fujitsu.com/global/support/software/security/products-f/interstage-201303e.html

http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

http://www.securityfocus.com/bid/55131

http://www.ubuntu.com/usn/USN-1627-1

http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18832

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19539

Details

Source: MITRE

Published: 2012-08-22

Updated: 2017-09-19

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 2.6

Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW