- Home
- CVEs with nessus.description==The remote host is running a version of NSM (Network and Security
Manager) Server that is prior to 2012.2R9. It is, therefore, affected
by multiple vulnerabilities in the bundled version of Apache HTTP
Server :
- A flaw exists due to improper escaping of filenames in
406 and 300 HTTP responses. A remote attacker can
exploit this, by uploading a file with a specially
crafted name, to inject arbitrary HTTP headers or
conduct cross-site scripting attacks. (CVE-2008-0456)
- Multiple cross-site scripting vulnerabilities exist in
the mod_negotiation module due to improper sanitization
of input passed via filenames. An attacker can exploit
this to execute arbitrary script code in a user's
browser. (CVE-2012-2687)
- Multiple cross-site scripting vulnerabilities exist in
the mod_info, mod_status, mod_imagemap, mod_ldap, and
mod_proxy_ftp modules due to improper validation of
input passed via the URL or hostnames. An attacker can
exploit this to execute arbitrary script code in a
user's browser. (CVE-2012-3499)
- A cross-site scripting vulnerability exists in the
mod_proxy_balancer module due to improper validation of
input passed via the URL or hostnames. An attacker can
exploit this to execute arbitrary script code in a
user's browser. (CVE-2012-4558)
- A flaw exists in the do_rewritelog() function due to
improper sanitization of escape sequences written to log
files. A remote attacker can exploit this, via a
specially crafted HTTP request, to execute arbitrary
commands. (CVE-2013-1862)
- A denial of service vulnerability exists in mod_dav.c
due to improper validation to determine if DAV is
enabled for a URI. A remote attacker can exploit this,
via a specially crafted MERGE request, to cause a
segmentation fault, resulting in a denial of service
condition. (CVE-2013-1896)
- A denial of service vulnerability exists in the
dav_xml_get_cdata() function
due to improper removal of whitespace characters from
CDATA sections. A remote attacker can exploit this,
via a specially crafted DAV WRITE request, to cause a
daemon crash, resulting in a denial of service
condition. (CVE-2013-6438)
- A flaw exists in log_cookie() function due to the
logging of cookies with an unassigned value. A remote
attacker can exploit this, via a specially crafted
request, to cause a segmentation fault, resulting in a
denial of service condition. (CVE-2014-0098)
- A flaw exists in the deflate_in_filter() function when
request body decompression is configured. A remote
attacker can exploit this, via a specially crafted
request, to exhaust available memory and CPU resources,
resulting in a denial of service condition.
(CVE-2014-0118)
- A race condition exists in the mod_status module due to
improper validation of user-supplied input when handling
the scoreboard. A remote attacker can exploit this, via
a crafted request, to cause a heap-based buffer
overflow, resulting in a denial of service condition or
the execution of arbitrary code. (CVE-2014-0226)
- A flaw exists in the mod_cgid module due to the lack of
a timeout mechanism. A remote attacker can exploit this,
via a request to a CGI script that does not read from
its stdin file descriptor, to cause a denial of service
condition. (CVE-2014-0231)
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top