Vulnerability Description
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 1.3 |
| Oracle | Application Server | 1.0.2 |
| Oracle | Database Server | 8.1.7 |
| Oracle | Oracle8I | 8.1.7 |
| Oracle | Oracle9I | 9.0 |
References
- ftp://patches.sgi.com/support/free/security/advisories/20021105-02-I
- http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html
- http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0003.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530
- http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2
- http://marc.info/?l=bugtraq&m=103357160425708&w=2
- http://marc.info/?l=bugtraq&m=103376585508776&w=2
- http://online.securityfocus.com/advisories/4617
- http://www.apacheweek.com/issues/02-10-04Vendor Advisory
- http://www.debian.org/security/2002/dsa-187
- http://www.debian.org/security/2002/dsa-188
- http://www.debian.org/security/2002/dsa-195
- http://www.kb.cert.org/vuls/id/240329US Government Resource
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php
- http://www.linuxsecurity.com/advisories/other_advisory-2414.html
FAQ
What is CVE-2002-0840?
CVE-2002-0840 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows r...
How severe is CVE-2002-0840?
CVE-2002-0840 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2002-0840?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Oracle Application Server, Oracle Database Server, Oracle Oracle8I, Oracle Oracle9I.