CVE-2012-2687

Apache HTTP Server <2.4.3 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

References (42)

[Mailing List] http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2012-1591.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2012-1592.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2012-1594.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0130.html

[Vendor Advisory] http://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2013-02/msg00011.html

[Mailing List] http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html

[Various Sources] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30%40apache.org%3E

[Mailing List] http://marc.info/?l=bugtraq&m=136612293908376&w=2

[Vendor Advisory] http://support.apple.com/kb/HT5880

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=nas2a2b50a0ca011b37c86257a96003c9a4f

[Various Sources] http://www.apache.org/dist/httpd/CHANGES_2.4.3

[Various Sources] http://www.fujitsu.com/global/support/software/security/products-f/interstage-201303e.html

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1627-1

[Various Sources] http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/55131

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

... and 22 more

Scores

EPSS 0.0827

EPSS Percentile 92.1%

Classification

CWE

CWE-79

Status published

Affected Products (26)

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

apache/http_server

... and 11 more

Timeline

Published Aug 22, 2012

Tracked Since Feb 18, 2026