|Bugzilla:||850794: CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled|
The MITRE CVE dictionary describes this issue as:
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v2 metrics
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat security errata
|Red Hat Enterprise Linux version 5 (httpd)||RHSA-2013:0130||January 08, 2013|
|Red Hat Enterprise Linux version 6 (httpd)||RHSA-2013:0512||February 20, 2013|
|Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server||RHSA-2012:1591||December 18, 2012|
|Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server||RHSA-2012:1592||December 18, 2012|
|Red Hat JBoss Enterprise Application Platform 6.0||RHSA-2012:1594||December 18, 2012|
This page is generated automatically and has not been checked for errors or omissions.
For clarification or corrections please contact the Red Hat Security Response Team.