CVSS: 2.6EPSS: 1%CPEs: 4EXPL: 1CVE-2008-0456 – httpd: mod_negotiation CRLF injection via untrusted file names in directories with MultiViews enabled
https://notcve.org/view.php?id=CVE-2008-0456
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. Vulnerabilidad de inyección CRLF (se refiere a CR (retorno de carro) y LF (salto de línea)) en el módulo mod_negotiation de Apache HTTP Server 2.2.6 y anteriores en las series 2.2.x, 2.0.61 y anteriores en las series 2.0.x, y 1.3.39 y anteriores en las series 1.3.x permite a usuarios remotos autenticados inyectar cabeceras HTTP y llevar a cabo ataques de ruptura de respuestas HTTP subiendo un fichero con un nombre multi-línea que contiene secuencias de cabeceras HTTP y una extensión de fichero, lo cual conduce a la inyección en respuestas HTTP (1) "406 Not Acceptable" o (2) "300 Multiple Choices" al omitir la extensión en una petición al fichero. • http://lists.apple.com/archives/security-announce/2009/May/msg00002.html http://rhn.redhat.com/errata/RHSA-2013-0130.html http://secunia.com/advisories/29348 http://secunia.com/advisories/35074 http://security.gentoo.org/glsa/glsa-200803-19.xml http://securityreason.com/securityalert/3575 http://securitytracker.com/id?1019256 http://support.apple.com/kb/HT3549 http://www.mindedsecurity.com/MSA01150108.html http://www.securityfocus.com/archive/1/486847/100/0/threaded http:// • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 1%CPEs: 8EXPL: 2CVE-2008-0005 – mod_proxy_ftp XSS
https://notcve.org/view.php?id=CVE-2008-0005
mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. mod_proxy_ftp en Apache 2.2.x antes de la versión 2.2.7-dev, 2.0.x antes de la2.0.62-dev, y 1.3.x antes de 1.3.40-dev, no define un conjunto de caracteres, lo que permite que atacantes remootos puedan llevar a cabo ataques de secuencias de comandos (XSS) en sitios cruzados usando una codificación UTF-7. • http://docs.info.apple.com/article.html?artnum=307562 http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html http://lists.vmware.com/pipermail/security-announce/2009/000062.html http://marc.info/?l=bugtraq&m=124654546101607&w=2 http://marc.info/?l=bugtraq&m=125631037611762&w=2 http://marc.info/?l=bugtraq&m=130497311408250&w=2 http://secunia.com/advisories/28467 http://secunia.com/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2007-6423
https://notcve.org/view.php?id=CVE-2007-6423
Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the vendor could not reproduce this issue ** CUESTIONABLE ** Vulnerabilidad no especificada en mod_proxy_balancer para Apache HTTP Server 2.2.x, en versiones anteriores a la 2.2.7-dev, cuando se ejecuta en Windows, permite que atacantes remotos provoquen una corrupción de memoria usando una URL larga. NOTA: el vendedor no pudo reproducir el problema • http://securityreason.com/securityalert/3523 http://www.securityfocus.com/archive/1/486169/100/0/threaded http://www.securityfocus.com/bid/27236 • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 4%CPEs: 10EXPL: 0CVE-2007-6420 – mod_proxy_balancer: mod_proxy_balancer CSRF
https://notcve.org/view.php?id=CVE-2007-6420
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el controlador-balanceador en el componente mod_proxy_balancer en el servidor HTTP de Apache versión 2.2.x, permite a los atacantes remotos conseguir privilegios por medio de vectores no especificados. • http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://secunia.com/advisories/31026 http://secunia.com/advisories/32222 http://secunia.com/advisories/33797 http://secunia.com/advisories/34219 http://security.gentoo.org/glsa/glsa-200807-06.xml http://securityreason.com/securityalert/3523 http://support.apple.com/kb/HT3216 http:/& • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.5EPSS: 0%CPEs: 7EXPL: 0CVE-2007-6421 – httpd mod_proxy_balancer cross-site scripting
https://notcve.org/view.php?id=CVE-2007-6421
Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL. La vulnerabilidad de tipo cross-site-scripting (XSS) en el controlador-balanceador en el componente mod_proxy_balancer en el servidor HTTP de Apache versión 2.2.0 hasta 2.2.6, permite a los atacantes remotos inyectar scripts web o HTML arbitrarios por medio de los parámetros (1) ss, (2) wr o (3) rr, o (4) la dirección URL. • http://docs.info.apple.com/article.html?artnum=307562 http://httpd.apache.org/security/vulnerabilities_22.html http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html http://secunia.com/advisories/28526 http://secunia.com/advisories/28749 http://secunia.com/advisories/28977 http://secunia.com/advisories/29420 http://secunia.com/advisories/29640 http://securityreason.com/securityalert/3523 http:/&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •