CVE-2002-1157

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL, a different vulnerability than CAN-2002-0840.

Vulnerabilidad de scripts en sitios cruzados en el módulo de Apache mod_ssl 2.8.9 y anteriores, cuando UseCanonicalName está desactivado y DNS comodín está activado, permite a atacantes remotos ejecutar scripts como otros visitantes del sitio web, mediante el nombre del servidor en una respuesta HTTPS en el puerto SSL, usado en una URL que se referencia a sí misma. Es una vulnerabilidad distinta de CAN-2002-0840.

*Credits: N/A

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2002-09-26 CVE Reserved
2002-11-04 CVE Published
2023-08-09 EPSS Updated
2024-08-08 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (17)

URL	Tag	Source
http://archives.neohapsis.com/archives/bugtraq/2002-10/0374.html	Mailing List
http://online.securityfocus.com/archive/1/296753	Mailing List
http://www.osvdb.org/2107	Vdb Entry
http://www.securityfocus.com/bid/6029	Vdb Entry

URL	Date	SRC

URL	Date	SRC
http://www.debian.org/security/2002/dsa-181	2008-09-05

URL	Date	SRC
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000541	2008-09-05
http://www.iss.net/security_center/static/10457.php	2008-09-05
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-072.php	2008-09-05
http://www.linuxsecurity.com/advisories/other_advisory-2512.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2002-222.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2002-243.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2002-244.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2002-248.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2002-251.html	2008-09-05
http://www.redhat.com/support/errata/RHSA-2003-106.html	2008-09-05
https://access.redhat.com/security/cve/CVE-2002-1157	2003-04-22
https://bugzilla.redhat.com/show_bug.cgi?id=1616849	2003-04-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mod Ssl Search vendor "Mod Ssl"		Mod Ssl Search vendor "Mod Ssl" for product "Mod Ssl"				<= 2.8.9 Search vendor "Mod Ssl" for product "Mod Ssl" and version " <= 2.8.9"		-		Affected