Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2008-0455 — Cross-site Scripting in Apache Http Server
Severity
4.3MEDIUMNVD
EPSS
52.0%
top 2.08%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedJan 25
Latest updateMay 1
Description
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omit…
CVSS vector
AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9
Affected Packages5 packages
🔴Vulnerability Details
3GHSA▶
GHSA-3rhp-x8rm-9rvr: Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2022-05-01
OSV▶
CVE-2008-0455: Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2008-01-25
CVEList▶
CVE-2008-0455: Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2↗2008-01-25
💥Exploits & PoCs
1📋Vendor Advisories
2💬Community
1Bugzilla▶
CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled↗2012-08-22