Published: 2019-09-26
Description:
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Type:
CWE-79
(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Vendor: Apache
Product: Http server
Version:
2.4.92.4.82.4.72.4.62.4.42.4.392.4.382.4.372.4.36
2.4.352.4.342.4.332.4.322.4.302.4.32.4.292.4.282.4.27
2.4.262.4.252.4.242.4.232.4.222.4.212.4.202.4.22.4.19
2.4.182.4.172.4.162.4.142.4.122.4.102.4.12.4.0
CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
References:
https://httpd.apache.org/security/vulnerabilities_24.html
Related CVE
CVE-2019-10082
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
CVE-2019-0203
10092 apache server