Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2168 — Cross-site Scripting in Apache Http Server

CWE-79 — Cross-site Scripting9 documents9 sources
Severity
4.3MEDIUMNVD
EPSS
50.4%
top 2.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Http Server
Timeline
PublishedMay 13
Latest updateMay 1

Description

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

â–¶NVDapache/http_server46 versions+45

🔴Vulnerability Details

3
GHSA
GHSA-wxxw-99hq-72vw: Cross-site scripting (XSS) vulnerability in Apache 2↗2022-05-01
â–¶
OSV
CVE-2008-2168: Cross-site scripting (XSS) vulnerability in Apache 2↗2008-05-13
â–¶
CVEList
CVE-2008-2168: Cross-site scripting (XSS) vulnerability in Apache 2↗2008-05-13
â–¶

💥Exploits & PoCs

1
Exploit-DB
Microsoft Internet Explorer 2 - UTF-7 HTTP Response Handling↗2008-05-08
â–¶

📋Vendor Advisories

3
Ubuntu
Apache vulnerabilities↗2009-03-10
â–¶
Red Hat
httpd: XSS via UTF-7 encoded urls on the 403 Forbidden error page↗2008-05-08
â–¶
Debian
CVE-2008-2168: apache2 - Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remo...↗2008
â–¶

💬Community

1
Bugzilla
CVE-2008-2168 httpd: XSS via UTF-7 encoded urls on the 403 Forbidden error page↗2008-05-14
â–¶
CVE-2008-2168 — Cross-site Scripting in Apache | cvebase