CVE-2008-0455

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Cross-site Scripting
Severity
UNKNOWN
AV:N/AC:M/Au:N/C:N/I:P/A:N
Atk. Vector
NETWORK
Atk. Complexity
MEDIUM
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
apachehttp_server
2.2.0 ≤
𝑥
< 2.2.23
apachehttp_server
2.4.1 ≤
𝑥
< 2.4.3
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_server
5.0
redhatenterprise_linux_workstation
5.0
redhatjboss_enterprise_application_platform
6.0.0
redhatjboss_enterprise_application_platform
6.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bullseye
2.4.62-1~deb11u1
fixed
bullseye (security)
2.4.61-1~deb11u1
fixed
bookworm
2.4.62-1~deb12u1
fixed
bookworm (security)
2.4.62-1~deb12u2
fixed
sid
2.4.62-3
fixed
trixie
2.4.62-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache
intrepid
dne
hardy
dne
gutsy
dne
feisty
ignored
edgy
ignored
dapper
ignored
apache2
intrepid
not-affected
hardy
not-affected
gutsy
ignored
feisty
ignored
edgy
ignored
dapper
ignored
References