Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
http://httpd.apache.org/security/vulnerabilities_24.html
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00011.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html
http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%[email protected]%3E
http://marc.info/?l=bugtraq&m=136612293908376&w=2
http://rhn.redhat.com/errata/RHSA-2012-1591.html
http://rhn.redhat.com/errata/RHSA-2012-1592.html
http://rhn.redhat.com/errata/RHSA-2012-1594.html
http://rhn.redhat.com/errata/RHSA-2013-0130.html
http://secunia.com/advisories/50894
http://secunia.com/advisories/51607
http://support.apple.com/kb/HT5880
http://www.apache.org/dist/httpd/CHANGES_2.4.3
http://www.fujitsu.com/global/support/software/security/products-f/interstage-201303e.html
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
http://www.securityfocus.com/bid/55131
http://www.ubuntu.com/usn/USN-1627-1
http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
http://www-01.ibm.com/support/docview.wss?uid=nas2a2b50a0ca011b37c86257a96003c9a4f
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18832
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19539
OR
cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
98901 | Apache 2.4.x < 2.4.3 Multiple Vulnerabilities | Web Application Scanning | Component Vulnerability | medium |
84878 | Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) (credentialed check) | Nessus | Misc. | medium |
84877 | Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) | Nessus | Misc. | medium |
83578 | SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0469-1) | Nessus | SuSE Local Security Checks | medium |
83577 | SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0387-1) | Nessus | SuSE Local Security Checks | medium |
80583 | Oracle Solaris Third-Party Patch Update : apache (multiple_vulnerabilities_in_apache_http2) | Nessus | Solaris Local Security Checks | medium |
80043 | openSUSE Security Update : apache2 (openSUSE-SU-2014:1647-1) | Nessus | SuSE Local Security Checks | medium |
79891 | F5 Networks BIG-IP : Apache HTTP server vulnerability (SOL15901) | Nessus | F5 Networks Local Security Checks | low |
75187 | openSUSE Security Update : apache2 (openSUSE-SU-2013:0245-1) | Nessus | SuSE Local Security Checks | low |
75181 | openSUSE Security Update : apache2 (openSUSE-SU-2013:0243-1) | Nessus | SuSE Local Security Checks | medium |
74964 | openSUSE Security Update : apache2 (openSUSE-SU-2013:0629-1) | Nessus | SuSE Local Security Checks | medium |
8008 | Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004) | Nessus Network Monitor | Web Clients | critical |
69878 | Mac OS X Multiple Vulnerabilities (Security Update 2013-004) | Nessus | MacOS X Local Security Checks | critical |
69877 | Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
69301 | Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities | Nessus | Web Servers | critical |
68750 | Oracle Linux 6 : httpd (ELSA-2013-0512) | Nessus | Oracle Linux Local Security Checks | medium |
68701 | Oracle Linux 5 : httpd (ELSA-2013-0130) | Nessus | Oracle Linux Local Security Checks | medium |
65145 | CentOS 6 : httpd (CESA-2013:0512) | Nessus | CentOS Local Security Checks | medium |
65025 | SuSE 10 Security Update : apache2 (ZYPP Patch Number 8443) | Nessus | SuSE Local Security Checks | medium |
65023 | SuSE 11.2 Security Update : Apache (SAT Patch Number 7409) | Nessus | SuSE Local Security Checks | medium |
64952 | Scientific Linux Security Update : httpd on SL6.x i386/x86_64 (20130221) | Nessus | Scientific Linux Local Security Checks | medium |
64761 | RHEL 6 : httpd (RHSA-2013:0512) | Nessus | Red Hat Local Security Checks | medium |
64595 | Fedora 17 : httpd-2.2.23-1.fc17 (2013-1661) | Nessus | Fedora Local Security Checks | medium |
64072 | RHEL 6 : JBoss EAP (RHSA-2012:1592) | Nessus | Red Hat Local Security Checks | critical |
64071 | RHEL 5 : JBoss EAP (RHSA-2012:1591) | Nessus | Red Hat Local Security Checks | critical |
63597 | Scientific Linux Security Update : httpd on SL5.x i386/x86_64 (20130108) | Nessus | Scientific Linux Local Security Checks | medium |
63575 | CentOS 5 : httpd (CESA-2013:0130) | Nessus | CentOS Local Security Checks | medium |
63411 | RHEL 5 : httpd (RHSA-2013:0130) | Nessus | Red Hat Local Security Checks | medium |
62869 | Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : apache2 vulnerabilities (USN-1627-1) | Nessus | Ubuntu Local Security Checks | low |
62806 | FreeBSD : apache22 -- several vulnerabilities (65539c54-2517-11e2-b9d6-20cf30e32f6d) | Nessus | FreeBSD Local Security Checks | low |
62386 | Mandriva Linux Security Advisory : apache (MDVSA-2012:154-1) | Nessus | Mandriva Local Security Checks | medium |
6576 | Apache 2.2 < 2.2.23 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
62101 | Apache 2.2.x < 2.2.23 Multiple Vulnerabilities | Nessus | Web Servers | medium |
6550 | Apache 2.4.1, 2.4.2 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
61644 | Apache 2.4.x < 2.4.3 Multiple Vulnerabilities | Nessus | Web Servers | medium |