Description

This alert was generated using only banner information. It may be a false positive.

Fixed in Apache httpd 2.0.63:
  • low: mod_proxy_ftp UTF-7 XSS CVE-2008-0005
    A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616.
  • moderate: mod_status XSS CVE-2007-6388
    A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.
  • moderate: mod_imap XSS CVE-2007-5000
    A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible.

Affected Apache versions (up to 2.0.62).

Remediation

Upgrade Apache 2.x to the latest version.

References

Apache homepage

Apache HTTP Server 2.x announcement

Related Vulnerabilities

WordPress Plugin WordPress Social Ring (Facebook Like, Google +1, ReTweet, LinkedIn and Pin It) Cross-Site Scripting (1.1.9)

WordPress Plugin Thrive Apprentice Security Bypass (2.3.9.3)

WordPress Plugin User Activity Log Multiple Vulnerabilities (1.2.4)

WordPress Plugin Xorbin Digital Flash Clock Cross-Site Scripting (1.0)

PHP Use After Free Vulnerability (CVE-2019-9020)

Severity

Medium

Classification

CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XSS Missing Update