CVE-2007-6421 - Cross-Site Scripting (XSS) vulnerability in Apache Http Server

Publication

2008-01-08

Last modification

2018-10-30

Summary

Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.

Classification

CWE-79 - Cross-Site Scripting (XSS)

Risk level (CVSS AV:N/AC:M/Au:S/C:N/I:P/A:N)

Low

3.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Vendor comments

  • Mark J Cox - Apache (2008-07-02)
    Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html

OVAL definition

{
    "accepted": "2013-04-29T04:07:33.628-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 5",
            "oval": "oval:org.mitre.oval:def:11414"
        },
        {
            "comment": "The operating system installed on the system is CentOS Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15802"
        },
        {
            "comment": "Oracle Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15459"
        }
    ],
    "description": "Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:10664",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.",
    "version": "18"
}
{
    "accepted": "2014-07-14T04:01:30.873-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "J. Daniel Brown",
            "organization": "DTCC"
        },
        {
            "name": "Mike Lah",
            "organization": "The MITRE Corporation"
        },
        {
            "name": "Shane Shaffer",
            "organization": "G2, Inc."
        },
        {
            "name": "Maria Mikhno",
            "organization": "ALTX-SOFT"
        }
    ],
    "definition_extensions": [
        {
            "comment": "Apache HTTP Server 2.2.x is installed on the system",
            "oval": "oval:org.mitre.oval:def:8550"
        }
    ],
    "description": "Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.",
    "family": "windows",
    "id": "oval:org.mitre.oval:def:8651",
    "status": "accepted",
    "submitted": "2010-03-08T17:30:00.000-05:00",
    "title": "Apache 'mod_proxy_balancer' Cross-Site Scripting Vulnerability",
    "version": "11"
}

Affected Products

Vendor Product Versions
Apache Http Server  2.2.2 , 2.2 , 2.2.1 , 2.2.4 , 2.2.3 , 2.2.6