VULHUB ™

A number of Apache core files and modules do not properly escape HTML tags from error messages that are generated and displayed in webpages. If an attacker can cause arbitrary data to be displayed in error output then it is also possible to inject malicious script code. The attacker-supplied script code will be executed in the browser of a user who views the webpage containing the error message. For example, the attacker might construct a malicious link which causes an error page containing script code to be generated when the link is visited. The attacker may then send the malicious link in a HTML e-mail to an arbitrary user. When the user visits the link, the script code will be executed in the context of the page they are visiting.

A number of Apache core files and modules do not properly escape HTML tags from error messages that are generated and displayed in webpages. If an attacker can cause arbitrary data to be displayed in error output then it is also possible to inject malicious script code. The attacker-supplied script code will be executed in the browser of a user who views the webpage containing the error message. For example, the attacker might construct a malicious link which causes an error page containing script code to be generated when the link is visited. The attacker may then send the malicious link in a HTML e-mail to an arbitrary user. When the user visits the link, the script code will be executed in the context of the page they are visiting.