CVE-2007-6388

apache mod_status cross-site scripting

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS), en mod_status, dentro de Apache HTTP Server, en versiones 2.2.0 hasta 2.2.6, 2.0.35 hasta 2.0.61, y 1.3.2 hasta 1.3.39, cuando la página server-status está activada, permite que atacantes remotos inyecten , a su elección, código web o HTML, usando vectores no especificados.

A flaw found in the mod_imagemap module could lead to a cross-site scripting attack on sites where mod_imagemap was enabled and an imagemap file was publicly available. A flaw found in the mod_status module could lead to a cross-site scripting attack on sites where mod_status was enabled and the status pages were publicly available. A flaw found in the mod_proxy_balancer module could lead to a cross-site scripting attack against an authorized user on sites where mod_proxy_balancer was enabled. Another flaw in the mod_proxy_balancer module was found where, on sites with the module enabled, an authorized user could send a carefully crafted request that would cause the apache child process handling the request to crash, which could lead to a denial of service if using a threaded MPM. A flaw found in the mod_proxy_ftp module could lead to a cross-site scripting attack against web browsers which do not correctly derive the response character set following the rules in RFC 2616, on sites where the mod_proxy_ftp module was enabled.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-12-17 CVE Reserved
2008-01-08 CVE Published
2024-08-07 CVE Updated
2025-07-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (88)

URL	Tag	Source
http://docs.info.apple.com/article.html?artnum=307562	Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_13.html	Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_20.html	Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_22.html	Third Party Advisory
http://lists.vmware.com/pipermail/security-announce/2009/000062.html	Mailing List
http://secunia.com/advisories/28467	Third Party Advisory
http://secunia.com/advisories/28471	Third Party Advisory
http://secunia.com/advisories/28526	Third Party Advisory
http://secunia.com/advisories/28607	Third Party Advisory
http://secunia.com/advisories/28749	Third Party Advisory
http://secunia.com/advisories/28922	Third Party Advisory
http://secunia.com/advisories/28965	Third Party Advisory
http://secunia.com/advisories/28977	Third Party Advisory
http://secunia.com/advisories/29420	Third Party Advisory
http://secunia.com/advisories/29504	Third Party Advisory
http://secunia.com/advisories/29640	Third Party Advisory
http://secunia.com/advisories/29806	Third Party Advisory
http://secunia.com/advisories/29988	Third Party Advisory
http://secunia.com/advisories/30356	Third Party Advisory
http://secunia.com/advisories/30430	Third Party Advisory
http://secunia.com/advisories/30732	Third Party Advisory
http://secunia.com/advisories/31142	Third Party Advisory
http://secunia.com/advisories/32800	Third Party Advisory
http://secunia.com/advisories/33200	Third Party Advisory
http://securityreason.com/securityalert/3541	Third Party Advisory
http://securitytracker.com/id?1019154	Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm	Third Party Advisory
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=689039	Broken Link
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200808e.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	Not Applicable
http://www.securityfocus.com/archive/1/494428/100/0/threaded	Broken Link
http://www.securityfocus.com/archive/1/505990/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/27237	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA08-150A.html	Third Party Advisory
http://www.vupen.com/english/advisories/2008/1224/references	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/39472	Third Party Advisory
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10272	Broken Link

URL	Date	SRC

URL	Date	SRC
http://www.mandriva.com/security/advisories?name=MDVSA-2008:016	2024-02-02
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2008/05/023342-01.pdf	2024-02-02
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html	2024-02-02
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html	2024-02-02

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2008//May/msg00001.html	2024-02-02
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html	2024-02-02
http://marc.info/?l=bugtraq&m=130497311408250&w=2	2024-02-02
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.595748	2024-02-02
http://sunsolve.sun.com/search/document.do?assetkey=1-26-233623-1	2024-02-02
http://www-1.ibm.com/support/docview.wss?uid=swg1PK62966	2024-02-02
http://www-1.ibm.com/support/docview.wss?uid=swg1PK63273	2024-02-02
http://www-1.ibm.com/support/docview.wss?uid=swg24019245	2024-02-02
http://www-1.ibm.com/support/search.wss?rs=0&q=PK59667&apar=only	2024-02-02
http://www.mandriva.com/security/advisories?name=MDVSA-2008:014	2024-02-02
http://www.mandriva.com/security/advisories?name=MDVSA-2008:015	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0004.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0005.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0006.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0007.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0008.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0009.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2008-0261.html	2024-02-02
http://www.securityfocus.com/archive/1/488082/100/0/threaded	2024-02-02
http://www.securityfocus.com/archive/1/498523/100/0/threaded	2024-02-02
http://www.ubuntu.com/usn/usn-575-1	2024-02-02
https://access.redhat.com/security/cve/CVE-2007-6388	2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=427228	2010-08-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 1.3.2 <= 1.3.39 Search vendor "Apache" for product "Http Server" and version " >= 1.3.2 <= 1.3.39"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.0.35 <= 2.0.61 Search vendor "Apache" for product "Http Server" and version " >= 2.0.35 <= 2.0.61"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.2.0 <= 2.2.6 Search vendor "Apache" for product "Http Server" and version " >= 2.2.0 <= 2.2.6"		-		Affected