CVE-2000-1205

Apache HTTP Server 1.3.0-1.3.11 - Cross-Site Scripting via ap_send_error_response Function

Title source: llm
STIX 2.1

Description

Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant.

References (11)

Core 11
Core References
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0233.html
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=118529436424127&w=2
Various Sources mailing-list x_refsource_bugtraq
http://archive.cert.uni-stuttgart.de/bugtraq/2002/12/msg00243.html
Patch, Vendor Advisory x_refsource_confirm
http://httpd.apache.org/info/css-security/apache_specific.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/10938
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35597

Scores

EPSS 0.2346
EPSS Percentile 97.5%

Details

CWE
CWE-79
Status published
Products (12)
apache/http_server 1.3.0
apache/http_server 1.3.1
apache/http_server 1.3.2
apache/http_server 1.3.3
apache/http_server 1.3.4
apache/http_server 1.3.5
apache/http_server 1.3.6
apache/http_server 1.3.7
apache/http_server 1.3.8
apache/http_server 1.3.9
... and 2 more
Published Feb 01, 2000
Tracked Since Feb 18, 2026