CVE-2012-2687: Apache HTTPD: XSS in mod_negotiation

CVE ID

CVE-2012-2687

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

Unitrends assessment: Medium Risk

RESOLUTION

You may already have received the new httpd, but if not, update httpd.

Fixed in:

  • httpd-2.2.3-74.el5 or later for CentOS5
  • httpd-2.2.15-26.el6 or later for CentOS6
To update to the new version with the fix, either do 'yum update httpd' from the command line, or perform an update from the UI.

LINK TO ADVISORIES

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section