CVE-2008-2168 – Microsoft Internet Explorer 2 - UTF-7 HTTP Response Handling
https://notcve.org/view.php?id=CVE-2008-2168
Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page. La vulnerabilidad de tipo cross-site-scripting (XSS) en Apache versión 2.2.6 y anteriores, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio de direcciones URL codificadas UTF-7 que no se manejan apropiadamente cuando se muestra la página de error 403 Forbidden . • https://www.exploit-db.com/exploits/31759 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432 http://marc.info/?l=bugtraq&m=124654546101607&w=2 http://marc.info/?l=bugtraq&m=125631037611762&w=2 http://secunia.com/advisories/31651 http://secunia.com/advisories/34219 http://secunia.com/advisories/35650 http://securityreason.com/securityalert/3889 http://www.securityfocus.com/archive/1/491862/100/0/threaded http://www.securityfocus.com/archive/1/4919 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-6388 – apache mod_status cross-site scripting
https://notcve.org/view.php?id=CVE-2007-6388
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS), en mod_status, dentro de Apache HTTP Server, en versiones 2.2.0 hasta 2.2.6, 2.0.35 hasta 2.0.61, y 1.3.2 hasta 1.3.39, cuando la página server-status está activada, permite que atacantes remotos inyecten , a su elección, código web o HTML, usando vectores no especificados. • http://docs.info.apple.com/article.html?artnum=307562 http://httpd.apache.org/security/vulnerabilities_13.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html http://lists.apple.com/archives/security-announce/2008//May/msg00001.html http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html http://lists.vmware.com/pipermail/security-announce/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-5000 – httpd: mod_imagemap XSS
https://notcve.org/view.php?id=CVE-2007-5000
Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en los módulos (1) mod_imap en Apache HTTP Server 1.3.0 hasta 1.3.39 y 2.0.35 hasta 2.0.61, y (2) mod_imagemap en Apache HTTP Server 2.2.0 hasta 2.2.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante vectores no especificados. • http://docs.info.apple.com/article.html?artnum=307562 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01345501 http://httpd.apache.org/security/vulnerabilities_13.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html http://lists.apple.com/archives/security-announce/2008//May/msg00001.html http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-4465 – mod_autoindex XSS
https://notcve.org/view.php?id=CVE-2007-4465
Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en mod_autoindex.c en el servidor HTTP Apache versiones anteriores a 2.2.6, cuando un juego de caracteres en una página generada por el servidor no está definido, permite a atacantes remotos inyectar scripts web o HTML de su elección a través del parámetro P utilizando el juego de caracteres UTF-7. NOTA. Se podría argumentar que este asunto se debe a una limitación de diseño de los navegadores que intentan realizar una detección automática de tipo de contenido. • http://bugs.gentoo.org/show_bug.cgi?id=186219 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432 http://lists.apple.com/archives/security-announce/2008//May/msg00001.html http://marc.info/?l=bugtraq&m=124654546101607&w=2 http://marc.info/?l=bugtraq&m=125631037611762&w=2 http://secunia.com/advisories/26842 http://secunia.com/advisories/26952 http://secunia.com/advisories/27563 http://secunia.com/advisories/27732 http://secunia.com/advisories/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-5752 – httpd mod_status XSS
https://notcve.org/view.php?id=CVE-2006-5752
Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en mod_status.c en el módulo mod_status en Apache HTTP Server (httpd), cuando ExtendedStatus está activado y una página pública estado-servidor está siendo usada, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados afectando a caracteres con navegadores que realizan "detecciones de caracteres" cuando el tipo de contenido no está especificado. • http://bugs.gentoo.org/show_bug.cgi?id=186219 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 http://httpd.apache.org/security/vulnerabilities_13.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html http://lists.vmware.com/pipermail/security-announce/2009/000062.html http://osvdb.org/37052 http://rhn.redhat.com/errata/RHSA-2007-053 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •