CVE-2012-2687

Apache HTTP Server < 2.4.3 - Cross-Site Scripting via Crafted Filename in mod_negotiation

Title source: llm
STIX 2.1

Description

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

References (42)

Core 42
Core References
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1594.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1592.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0130.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1591.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=136612293908376&w=2
Vendor Advisory x_refsource_confirm
http://httpd.apache.org/security/vulnerabilities_24.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1627-1
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00011.html
Various Sources x_refsource_confirm
http://www.apache.org/dist/httpd/CHANGES_2.4.3
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5880
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50894
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55131
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19539
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/51607
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18832

Scores

EPSS 0.2251
EPSS Percentile 97.4%

Details

CWE
CWE-79
Status published
Products (25)
apache/http_server 2.2.0
apache/http_server 2.2.1
apache/http_server 2.2.2
apache/http_server 2.2.3
apache/http_server 2.2.4
apache/http_server 2.2.6
apache/http_server 2.2.8
apache/http_server 2.2.9
apache/http_server 2.2.10
apache/http_server 2.2.11
... and 15 more
Published Aug 22, 2012
Tracked Since Feb 18, 2026