CVE-2012-2687Cross-site Scripting in Apache Http Server

CWE-79Cross-site Scripting9 documents8 sources
Severity
2.6LOWNVD
EPSS
8.3%
top 7.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Http Server
Timeline
PublishedAug 22
Latest updateMay 13

Description

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages1 packages

NVDapache/http_server25 versions+24

🔴Vulnerability Details

3
GHSA
GHSA-8v5x-5rvv-5j4v: Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation2022-05-13
OSV
CVE-2012-2687: Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation2012-08-22
CVEList
CVE-2012-2687: Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation2012-08-22

📋Vendor Advisories

3
Ubuntu
Apache HTTP Server vulnerabilities2012-11-08
Red Hat
httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled2012-06-13
Debian
CVE-2012-2687: apache2 - Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list fun...2012

💬Community

2
Bugzilla
CVE-2012-2687 httpd (mod_negotiation): XSS for sites using mod_negotiation and allowing untrusted uploads to locations with MultiViews enabled [fedora-all]2012-08-23
Bugzilla
CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled2012-08-22
CVE-2012-2687 — Cross-site Scripting in Apache | cvebase