Lucene search

K
httpdApache Team FoundationHTTPD:E3E8BE7E36621C4506552BA051ECC3C8
HistoryJul 09, 2019 - 12:00 a.m.

Apache Httpd < 2.4.41 : Limited cross-site scripting in mod_proxy error page

2019-07-0900:00:00
Apache Team Foundation
httpd.apache.org
110

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.081

Percentile

94.5%

A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove request data from many other in-built error messages. Note however this issue did not affect them directly and their output was already escaped to prevent cross-site scripting attacks.

Affected configurations

Vulners
Node
apacheapache_httpdMatch2.4.39
OR
apacheapache_httpdMatch2.4.38
OR
apacheapache_httpdMatch2.4.37
OR
apacheapache_httpdMatch2.4.35
OR
apacheapache_httpdMatch2.4.34
OR
apacheapache_httpdMatch2.4.33
OR
apacheapache_httpdMatch2.4.30
OR
apacheapache_httpdMatch2.4.29
OR
apacheapache_httpdMatch2.4.28
OR
apacheapache_httpdMatch2.4.27
OR
apacheapache_httpdMatch2.4.26
OR
apacheapache_httpdMatch2.4.25
OR
apacheapache_httpdMatch2.4.23
OR
apacheapache_httpdMatch2.4.20
OR
apacheapache_httpdMatch2.4.18
OR
apacheapache_httpdMatch2.4.17
OR
apacheapache_httpdMatch2.4.16
OR
apacheapache_httpdMatch2.4.12
OR
apacheapache_httpdMatch2.4.10
OR
apacheapache_httpdMatch2.4.9
OR
apacheapache_httpdMatch2.4.7
OR
apacheapache_httpdMatch2.4.6
OR
apacheapache_httpdMatch2.4.4
OR
apacheapache_httpdMatch2.4.3
OR
apacheapache_httpdMatch2.4.2
OR
apacheapache_httpdMatch2.4.1
OR
apacheapache_httpdMatch2.4.0
VendorProductVersionCPE
apacheapache_httpd2.4.39cpe:2.3:a:apache:apache_httpd:2.4.39:*:*:*:*:*:*:*
apacheapache_httpd2.4.38cpe:2.3:a:apache:apache_httpd:2.4.38:*:*:*:*:*:*:*
apacheapache_httpd2.4.37cpe:2.3:a:apache:apache_httpd:2.4.37:*:*:*:*:*:*:*
apacheapache_httpd2.4.35cpe:2.3:a:apache:apache_httpd:2.4.35:*:*:*:*:*:*:*
apacheapache_httpd2.4.34cpe:2.3:a:apache:apache_httpd:2.4.34:*:*:*:*:*:*:*
apacheapache_httpd2.4.33cpe:2.3:a:apache:apache_httpd:2.4.33:*:*:*:*:*:*:*
apacheapache_httpd2.4.30cpe:2.3:a:apache:apache_httpd:2.4.30:*:*:*:*:*:*:*
apacheapache_httpd2.4.29cpe:2.3:a:apache:apache_httpd:2.4.29:*:*:*:*:*:*:*
apacheapache_httpd2.4.28cpe:2.3:a:apache:apache_httpd:2.4.28:*:*:*:*:*:*:*
apacheapache_httpd2.4.27cpe:2.3:a:apache:apache_httpd:2.4.27:*:*:*:*:*:*:*
Rows per page:
1-10 of 271

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.081

Percentile

94.5%