CVE-2006-5752

Summary

Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.

Impact & exploitability

AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

• NVD record
• http://httpd.apache.org/security/vulnerabilities_13.htmlAdvisory
• http://httpd.apache.org/security/vulnerabilities_20.htmlAdvisory
• http://httpd.apache.org/security/vulnerabilities_22.htmlAdvisory
• http://bugs.gentoo.org/show_bug.cgi?id=186219Advisory
• http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245112Advisory
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795Advisory
• http://lists.vmware.com/pipermail/security-announce/2009/000062.htmlAdvisory
• http://osvdb.org/37052