CVE-2008-0455

Published: Jan 25, 2008Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Affected (7)

Products: Apache: Http Server · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation, Jboss Enterprise Application Platform

Apache

1 product

Http Server

Redhat

4 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Jboss Enterprise Application Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.2.0 to 2.2.23
Apache Http Server	From 2.4.1 to 2.4.3

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 5.0
Redhat Enterprise Linux Server	Version 5.0
Redhat Enterprise Linux Workstation	Version 5.0

Configuration C

2 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Application Platform	Version 6.0.0
Redhat Jboss Enterprise Application Platform	Version 6.4.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 5.0
Redhat Enterprise Linux	Version 6.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (52)

http://rhn.redhat.com/errata/RHSA-2012-1591.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2012-1592.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2012-1594.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2013-0130.html

Source: cve@mitre.org

Third Party Advisory

http://secunia.com/advisories/29348

Source: cve@mitre.org

Not Applicable

http://secunia.com/advisories/51607

Source: cve@mitre.org

Not Applicable

http://security.gentoo.org/glsa/glsa-200803-19.xml

Source: cve@mitre.org

Third Party Advisory

http://securityreason.com/securityalert/3575

Source: cve@mitre.org

ExploitThird Party Advisory

http://securitytracker.com/id?1019256

Source: cve@mitre.org

Broken LinkExploitThird Party AdvisoryVDB Entry

http://www.mindedsecurity.com/MSA01150108.html

Source: cve@mitre.org

Exploit

http://www.securityfocus.com/archive/1/486847/100/0/threaded

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/27409

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://exchange.xforce.ibmcloud.com/vulnerabilities/39867

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2012-1591.html