CVSS: 7.5EPSS: 29%CPEs: 10EXPL: 0CVE-2013-6438 – httpd: mod_dav denial of service via crafted DAV WRITE request
https://notcve.org/view.php?id=CVE-2013-6438
18 Mar 2014 — The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. La función dav_xml_get_cdata en main/util.c en el módulo mod_dav en el Apache HTTP Server anterior a 2.4.8 no elimina debidamente caracteres de espacio en blanco de secciones CDATA, lo que permite a atacantes remotos causar una de... • http://advisories.mageia.org/MGASA-2014-0135.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 42%CPEs: 14EXPL: 0CVE-2014-0098 – httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
https://notcve.org/view.php?id=CVE-2014-0098
18 Mar 2014 — The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. La función log_cookie en mod_log_config.c en el módulo mod_log_config en el Apache HTTP Server anterior a 2.4.8 permite a atacantes remotos causar una denegación de servicio (fallo de segmentación y caída de demonio) a través de una cookie ... • http://advisories.mageia.org/MGASA-2014-0135.html • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 38%CPEs: 1EXPL: 1CVE-2013-2249 – Slackware Security Advisory - httpd Updates
https://notcve.org/view.php?id=CVE-2013-2249
23 Jul 2013 — mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. mod_session_dbd.c en el módulo mod_session_dbd en Apache HTTP Server anterior a 2.4.5, continua con las operaciones de guardado para una sesión sin considerar la "dirty flag" y la solicitud para una nuevo ID de sesión, lo que tiene un impacto no es... • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698 •
CVSS: 7.5EPSS: 36%CPEs: 23EXPL: 1CVE-2013-1896 – httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav
https://notcve.org/view.php?id=CVE-2013-1896
10 Jul 2013 — mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. mod_dav.c en el Apache HTTP Server anterior a 2.2.25 no determina adecuadamente si DAV está activado para URI, lo que permite a atacantes remotos provocar una dene... • http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html •
CVSS: 9.8EPSS: 30%CPEs: 27EXPL: 0CVE-2013-1862 – httpd: mod_rewrite allows terminal escape sequences to be written to the log file
https://notcve.org/view.php?id=CVE-2013-1862
14 May 2013 — mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. mod_rewrite.c en el modulo mod_rewrite en Apache HTTP Server v2.2.x anterior a v2.2.25 escribe datos en un archivo de log sin eliminar caracteres no imprimibles, lo que podría permitir a un atacante remotos ejecutar... • http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html •
CVSS: 6.1EPSS: 15%CPEs: 27EXPL: 0CVE-2012-3499 – httpd: multiple XSS flaws due to unescaped hostnames
https://notcve.org/view.php?id=CVE-2012-3499
26 Feb 2013 — Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Apache HTTP Server v2.2.x antes de v2.2.24-dev y v2.4.x antes de v2.4.4 que permite ataque... • http://httpd.apache.org/security/vulnerabilities_22.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 56%CPEs: 27EXPL: 0CVE-2012-4558 – httpd: XSS flaw in mod_proxy_balancer manager interface
https://notcve.org/view.php?id=CVE-2012-4558
26 Feb 2013 — Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función balancer_handler en la interfaz de gestión mod_proxy_balancer.c en el módulo mod_pr... • http://httpd.apache.org/security/vulnerabilities_22.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 25EXPL: 0CVE-2012-2687 – httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
https://notcve.org/view.php?id=CVE-2012-2687
22 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función make_variant_list en mod_negotia... • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 3EXPL: 0CVE-2012-3502
https://notcve.org/view.php?id=CVE-2012-3502
22 Aug 2012 — The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client. La funcionalidad proxy en (1) mod_proxy_ajp.c en el módulo mod_proxy_ajp y (2) mod_proxy_http.... • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2012-0883 – httpd: insecure handling of LD_LIBRARY_PATH in envvars
https://notcve.org/view.php?id=CVE-2012-0883
18 Apr 2012 — envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. envvars (también conocido como envvars-STD) en el servidor HTTP Apache antes de 2.4.2 establece un nombre de directorio de longitud cero en el LD_LIBRARY_PATH, que permite a usuarios locales conseguir privilegios a través de un caballo de Troya DSO en el d... • http://article.gmane.org/gmane.comp.apache.devel/48158 •