CVE-2008-0455

Apache HTTP Server < 2.2.23 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefano Di Paola · javaremotelinux

https://www.exploit-db.com/exploits/31052

View Code ZIP pw:eip

References (26)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-1591.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-1592.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-1594.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-0130.html

[Not Applicable] http://secunia.com/advisories/29348

[Not Applicable] http://secunia.com/advisories/51607

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-200803-19.xml

[Exploit, Third Party Advisory] http://securityreason.com/securityalert/3575

[Broken Link, Exploit, Third Party Advisory, VDB Entry] http://securitytracker.com/id?1019256

[Exploit] http://www.mindedsecurity.com/MSA01150108.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/486847/100/0/threaded

[Exploit, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/27409

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/39867

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

... and 6 more

Scores

EPSS 0.5197

EPSS Percentile 97.9%

Details

CWE

CWE-79

Status published

Products (6)

apache/http_server 2.2.0 - 2.2.23

redhat/enterprise_linux_desktop 5.0

redhat/enterprise_linux_server 5.0

redhat/enterprise_linux_workstation 5.0

redhat/jboss_enterprise_application_platform 6.0.0

redhat/jboss_enterprise_application_platform 6.4.0

Published Jan 25, 2008

Tracked Since Feb 18, 2026