CVE-2002-0840

Description

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.

References

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E

https://exchange.xforce.ibmcloud.com/vulnerabilities/10241

http://www.securityfocus.com/bid/5847

http://www.redhat.com/support/errata/RHSA-2003-106.html

http://www.redhat.com/support/errata/RHSA-2002-251.html

http://www.redhat.com/support/errata/RHSA-2002-248.html

http://www.redhat.com/support/errata/RHSA-2002-244.html

http://www.redhat.com/support/errata/RHSA-2002-243.html

http://www.redhat.com/support/errata/RHSA-2002-222.html

http://www.osvdb.org/862

http://www.linuxsecurity.com/advisories/other_advisory-2414.html

http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php

http://www.kb.cert.org/vuls/id/240329

http://www.debian.org/security/2002/dsa-195

http://www.debian.org/security/2002/dsa-188

http://www.debian.org/security/2002/dsa-187

http://www.apacheweek.com/issues/02-10-04

http://online.securityfocus.com/advisories/4617

http://marc.info/?l=bugtraq&m=103376585508776&w=2

http://marc.info/?l=bugtraq&m=103357160425708&w=2

http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530

http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0003.html

http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3