Vulnerability CVE-2012-2687: Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

Severity: LOW (2.6)

URL: https://nvd.nist.gov/vuln/detail/CVE-2012-2687

Published: Aug. 22, 2012

Modified: Nov. 7, 2023

Error type identifier: CWE-79

References to Advisories, Solutions, and Tools

Hyperlink	Resource
http://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
http://www.apache.org/dist/httpd/CHANGES_2.4.3
USN-1627-1
RHSA-2012:1592
RHSA-2012:1591
51607
RHSA-2012:1594
openSUSE-SU-2013:0245
RHSA-2013:0130
openSUSE-SU-2013:0243
openSUSE-SU-2013:0248
55131
http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
SE53614
50894
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
APPLE-SA-2013-09-12-1
http://support.apple.com/kb/HT5880
SSRT101139
http://www.fujitsu.com/global/support/software/security/products-f/interstage-201303e.html
oval:org.mitre.oval:def:19539
oval:org.mitre.oval:def:18832
[announce] 20120821 [ANNOUNCEMENT] Apache HTTP Server 2.4.3 Released
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073139 [8/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1888194 [8/13] - /httpd/site/trunk/content/security/json/
[httpd-cvs] 20210330 svn commit: r1073149 [8/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Affected configurations:
1. Configuration 1
  cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
  cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*

Version: v24.4.2

Vulnerability CVE-2012-2687: Information

Description

References to Advisories, Solutions, and Tools

Configuration 1