Vulnerability Description
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.2.0, < 2.2.23 |
| Redhat | Enterprise Linux Desktop | 5.0 |
| Redhat | Enterprise Linux Server | 5.0 |
| Redhat | Enterprise Linux Workstation | 5.0 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Enterprise Linux | 5.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2012-1591.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-1592.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-1594.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0130.htmlThird Party Advisory
- http://secunia.com/advisories/29348Not Applicable
- http://secunia.com/advisories/51607Not Applicable
- http://security.gentoo.org/glsa/glsa-200803-19.xmlThird Party Advisory
- http://securityreason.com/securityalert/3575ExploitThird Party Advisory
- http://securitytracker.com/id?1019256Broken LinkExploitThird Party Advisory
- http://www.mindedsecurity.com/MSA01150108.htmlExploit
- http://www.securityfocus.com/archive/1/486847/100/0/threadedThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/27409ExploitThird Party AdvisoryVDB Entry
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39867Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
FAQ
What is CVE-2008-0455?
CVE-2008-0455 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier i...
How severe is CVE-2008-0455?
CVE-2008-0455 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-0455?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, Redhat Jboss Enterprise Application Platform.