Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Unitrends assessment: Medium Risk
You may already have received the new httpd, but if not, update httpd.
- httpd-2.2.3-74.el5 or later for CentOS5
- httpd-2.2.15-26.el6 or later for CentOS6